Handy WHOIS tip

2010-01-26 08:48:31 by chort

While doing some research last night I finally figured out how to query a WHOIS server for all netblocks owned by a particular organization. For example, to find all netblocks owned by OrgID: NOC, do the following:

$ whois -a '> o !NOC'

In this case I'm using BSD whois, so the '-a' means "search ARIN". The other options are for the server. ARIN's WHOIS server interprets '>' as "show subordinate entries", the 'o' as "query for organizations", and the '!' as "search for handle or ID".

You should get output that starts like:

Resources Used By Organization:
Network Operations Center Inc. (AS21788) NOC 21788
[additional lines removed]

Linux users will need to adjust the flags passed to whois.

You can often get help from a specific WHOIS server by querying for '?'. This needs to be protected from your shell, so either backslash escape it, or wrap it in single-quotes. To get help from ARIN's WHOIS server do this:

$ whois -a \?

Final note: BSD whois doesn't appear to have a flag to force the RWHOIS protocol and different OSs have widely different ideas of what WHOIS ports are "well-known". For instance, OpenBSD has WHOIS and nothing else, while OS X has WHOIS++ and RWHOIS, but not WHOIS. FYI these are the ports:

whois           43/tcp          nicname
whois++          63/udp     # whois++
whois++          63/tcp     # whois++
rwhois          4321/udp    # Remote Who Is
rwhois          4321/tcp    # Remote Who Is

You can specify the port with the '-p' flag on BSD whois.