Version: 1.2.0

IP Type

Enrich Network Analysis

Synopsis

Analyzes IP addresses to determine their type (IPv4 or IPv6) and network classification (Public or Private) based on RFC specifications and reserved address ranges.

Schema

- ip_type:
    description: <text>
    field: <ident>
    target_field: <ident>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
`field`	Y		Field containing the IP address to analyze
`target_field`	N	Same as `field`	Base field name for storing IP type information
`description`	N	-	Explanatory notes
`if`	N	-	Condition to run
`ignore_failure`	N	`false`	See Handling Failures
`ignore_missing`	N	`false`	Continue processing if the field is missing
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`tag`	N	-	Identifier

Details

The processor analyzes IP addresses and creates two sub-fields containing classification information:

{target_field}.type: The IP version type (IPv4, IPv6, or Unknown)
{target_field}.network: The network classification (Public, Private, or Unknown)

IPv4 Classification

For IPv4 addresses, the processor identifies private ranges according to RFC 1918 and other special-use addresses:

Private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Loopback: 127.0.0.0/8
Link-local: 169.254.0.0/16
Special addresses: 0.0.0.0/32, 255.255.255.255/32

IPv6 Classification

For IPv6 addresses, the processor identifies various private and special-use ranges:

Loopback: ::1/128
Link-local: fe80::/64
Unique Local Addresses (ULA): fc00::/7
Site-local (deprecated): fec0::/10
Multicast: Various multicast ranges

info

This processor follows RFC 1918, RFC 3927, RFC 4193, and other networking standards to accurately classify IP addresses for security analysis and network monitoring.

note

The processor automatically handles IPv6 zone identifiers (e.g., fe80::1%eth0) by stripping the zone suffix before analysis, ensuring accurate classification.

tip

Use IP type classification for security analysis, network segmentation validation, and traffic analysis. Private IP detection is particularly useful for identifying internal vs. external traffic patterns.

Examples

Basic IPv4 Public Address

Analyze a public IPv4 address...	`{ "client_ip": "8.8.8.8" }` `- ip_type: field: client_ip`
to determine its classification:	`{ "client_ip": "8.8.8.8", "client_ip.type": "IPv4", "client_ip.network": "Public" }`

Private IPv4 Address

Identify private network addresses...	`{ "internal_ip": "192.168.1.100" }` `- ip_type: field: internal_ip target_field: network_info`
with custom field names:	`{ "internal_ip": "192.168.1.100", "network_info.type": "IPv4", "network_info.network": "Private" }`

IPv6 Public Address

Analyze IPv6 addresses...	`{ "ipv6_addr": "2001:4860:4860::8888" }` `- ip_type: field: ipv6_addr`
for version and network type:	`{ "ipv6_addr": "2001:4860:4860::8888", "ipv6_addr.type": "IPv6", "ipv6_addr.network": "Public" }`

IPv6 Link-Local Address

Identify IPv6 link-local addresses...	`{ "local_ipv6": "fe80::1234:5678:9abc:def0" }` `- ip_type: field: local_ipv6`
as private network addresses:	`{ "local_ipv6": "fe80::1234:5678:9abc:def0", "local_ipv6.type": "IPv6", "local_ipv6.network": "Private" }`

Loopback Address Detection

Detect loopback addresses...	`{ "localhost": "127.0.0.1" }` `- ip_type: field: localhost target_field: loop_info`
as private network addresses:	`{ "localhost": "127.0.0.1", "loop_info.type": "IPv4", "loop_info.network": "Private" }`

IPv6 with Zone Identifier

Handle IPv6 zone identifiers...	`{ "ipv6_zone": "fe80::1%eth0" }` `- ip_type: field: ipv6_zone`
by stripping the zone suffix:	`{ "ipv6_zone": "fe80::1%eth0", "ipv6_zone.type": "IPv6", "ipv6_zone.network": "Private" }`

Multiple IP Analysis

Analyze multiple IP addresses...

{
  "source_ip": "10.0.0.1",
  "dest_ip": "203.0.113.1"
}

- ip_type:
    field: source_ip
- ip_type:
    field: dest_ip

for traffic flow analysis:

{
  "source_ip": "10.0.0.1",
  "dest_ip": "203.0.113.1",
  "source_ip.type": "IPv4",
  "source_ip.network": "Private",
  "dest_ip.type": "IPv4",
  "dest_ip.network": "Public"
}

Corporate Network Classification

Classify corporate network addresses...	`{ "employee_ip": "172.16.10.50" }` `- ip_type: field: employee_ip target_field: corp_network`
for security analysis:	`{ "employee_ip": "172.16.10.50", "corp_network.type": "IPv4", "corp_network.network": "Private" }`

Invalid IP Address Handling

Handle invalid IP addresses...

{
  "bad_ip": "not.an.ip.address",
  "empty_ip": ""
}

- ip_type:
    field: bad_ip
- ip_type:
    field: empty_ip
    ignore_missing: true

with Unknown classification:

{
  "bad_ip": "not.an.ip.address",
  "empty_ip": "",
  "bad_ip.type": "Unknown",
  "bad_ip.network": "Unknown",
  "empty_ip.type": "Unknown",
  "empty_ip.network": "Unknown"
}

IPv6 Unique Local Address

Identify IPv6 Unique Local Addresses...	`{ "ula_address": "fd12:3456:789a:1::1" }` `- ip_type: field: ula_address`
as private network addresses:	`{ "ula_address": "fd12:3456:789a:1::1", "ula_address.type": "IPv6", "ula_address.network": "Private" }`

Synopsis​

Schema​

Configuration​

Details​

IPv4 Classification​

IPv6 Classification​

Examples​

Basic IPv4 Public Address​

Private IPv4 Address​

IPv6 Public Address​

IPv6 Link-Local Address​

Loopback Address Detection​

IPv6 with Zone Identifier​

Multiple IP Analysis​

Corporate Network Classification​

Invalid IP Address Handling​

IPv6 Unique Local Address​