Retreiving IP addresses - 2 questions

(imported topic written by SLB)

There are a couple of things we’d like to be able to achieve for storing IP related info and I’m not how to go about this or even if they are possible.

  1. It is possible to retrieve the real IP address of computers within a property?

(addresses whose (it as string != “”) of ip interfaces whose (loopback of it = false) of network as string) will return the IP address of any active interfaces but we would like to know the real IP address not a NAT address. Presumably this is known somewhere to the Bigfix server when sending actions to computers on the public internet that communicate via a relay in a DMZ but can this be captured via relevance or some alternative means?

  1. Where multiple IP addresses are in use, such as systems with multiple NIC’s (eg onboard and WiFi) it is possible to record the active IP address, ie the address that the server / relay received the communication from?

Thanks in anticipation


(imported comment written by BenKus)

Hi Rob,

Two tricky questions…

  1. I am not sure if you misphrased this or there is some confusion here… The IP Address property returns the IP Address of the computer from the computer’s point-of-view (not taking into account any NATs or other network level changes of the IP). But you are correct that the BES Server (and relays) do know of the last known “apparent IP address” in some form. Unfortunately, you can’t get the value in relevance (or really in any easy form).

The issue is that only the agent’s immediate parent knows the apparent IP address (the higher level relays/server only remember the relay the agent talked to). The information about apparent IP address is found in the registrationlist.txt in the “clientregisterdata” folder of BES Servers/Relays. In order to look up the IP address, you will need to know the computer ID of the computer.

  1. Unfortunately, it is very difficult for our application to know which NIC is actually being used to route traffic. We simply make a network call to the OS and it handles all the network interaction and routing so there isn’t much we can do today for this (and I am not sure what is theoretically possible.


(imported comment written by MartinZ91)

Hi Rob,

I had a very similar problem in finding out which is the IP address used for BES communication on machines with several NICs.

The situation - and an idea which did run on most OS (windows was ok)

  • the BESagents communicate with relays regularily and could communicate with the BESServer in emergencies (the firewalls allow this communication)
  • I created a text file with just one line “QUIT”
  • I created a BES task containing an action line “telnet {BES-Server-IP} {BES-Server-TCP-port} < {name-of-textfile-created}”
  • this starts a TCP-session to the BES-server which will do nothing useful (QUIT is not a valid BES-command I assume)
  • after timeout of this telnet the action script continues to find all open network connections (netstat -an)
  • on most OS used in our deployment (but not all) there still was a TCP-connection in state “TIME-WAIT” directed to the BES-server
  • with some grep/findstr I was able to get from this netstat list the other end of the “TIME-WAIT” connection which of course is the IP-address which the BESagent used

This approach works, if the OS itself just nows exactly one “good/preferred/low-routing-cost” path in TCP/IP to the BESserver and if the OS does not tidy up the TCP-buffers immediatelly after connection timeout

At the end I did not use this approach because of the different OS behaviour. I defined some “valid IP subnet lists” for each host, which I put into the relevance to find out the most probable IP address used for the communication to the server


(imported comment written by BD12)

I saw the other thread that pointed to this, but it really doesn’t provide a full answer. I could see how it would often be useful to obtain this NAT address.

Since the client talks to the server frequently when it checks in, have you ever thought of having the relay server return something like an “I-See-You-As-IP:” address header which the client could then store and make available in a property?

The telnet solution is creative, but having this available as a client property would be useful (tracking this over time gives you a bit of lightweight lojack technology too…)

Just a thought.


(imported comment written by BenKus)

Hey BD,

Your implementation is exactly what we have talked about adding into the system… we just haven’t done it yet… but I agree that it would be very cool…

We will see if we can slip it into one of the upcoming versions…


(imported comment written by BD12)

Just one other thought. When you implement this solution you may wish to make this solution proxy-aware, utilizing any X-Forwared-for headers any proxies in the middle may have provided.


(imported comment written by SystemAdmin)

I too wanted to figure out what public IP address some of our mobile users were connecting from so I cobbled together this fixlet (this is an old thread so I hope I didn’t do all this for nothing and the functionality got added to the product and I missed it…). I use wget for windows ( to pull down the text from a web page that actually determines the public IP and save that to a file. Then I use an analysis to manipulate the text and pull out the IP address. The fixlet also saves some nslookup info on the hostname associated with the IP but I haven’t taken the time to pull that into the analysis. I have an action that updates the text file on a schedule and the analysis is set to evaluate on a schedule as well for updates. I welcome others to make this better/easier/more sophisticated/etc. Hopefully this will help some people out or point them in the right direction. Share your modifications so I can take advantage of them :slight_smile:

Keep in mind that this will pull the public IP from the network card that has control over the default gateway. For instance, if you have a mobile user that is connected on a wireless link in their hotel but they are on a VPN connection back into the corporate office and that VPN connection is forcing all traffic (tunnel all) through the VPN, then the public IP you’ll get is the public IP of your corporate firewall. Anyway, it gave me the most of the info I needed.

Fixlet Action Script:

//I packged wget for windows as the source file for this fixlet so make sure you have it on the system somewhere or figure out how to pull the html straight from the webpage - I thought I had that working using “download as” but //I never got it quite right

if {not exists folder “C:\Source\PublicIP”}

delete __appendfile

appendfile mkdir “C:\Source\PublicIP”

move __appendfile makedir.bat

waithidden makedir.bat


waithidden __Download\wget.exe -O c:\source\publicip\publicipraw.txt

appendfile {preceding text of first “<”:" of line 1 of files “c:\source\publicip\publicipraw.txt”)}

delete c:\Source\PublicIP\publicip.txt

move __appendfile c:\Source\PublicIP\publicip.txt

delete __appendfile

appendfile nslookup <c:\source\publicip\publicip.txt >c:\source\publicip\nslookup.txt

move __appendfile rdns.bat

waithidden rdns.bat

Analysis Properties:

preceding text of first “<”:" of line 1 of files “c:\source\publicip\publicipraw.txt”)

Analysis Relevance:

(name of operating system as lowercase starts with “win”) AND (exists files “c:\source\publicip\publicipraw.txt”)

(imported comment written by upinya91)

Ben Kus

Hey BD,

Your implementation is exactly what we have talked about adding into the system… we just haven’t done it yet… but I agree that it would be very cool…

We will see if we can slip it into one of the upcoming versions…


Has this made it in yet? It would save me some time, indeed…

(imported comment written by BenKus)

I had forgotten ot post after we had an update to this in BigFix 7.1:

Note that this only answers question #2 of Rob’s initial post and his question #1 is still not solved because we don’t know the IP address if there is a NAT.


(imported comment written by upinya91)


I have an action that updates the text file on a schedule and the analysis is set to evaluate on a schedule as well for updates.

How’d ya do that? I’m thinking I can make a machine relevant when it does NOT have a university address, and then create the action to reapply ad infinitum if fixlet become relevant again. In other words, when a machine loses its work address, it obviously is out and about. THAT is when the action will run again.

That’s my plan, anyways…

I tried to work in a WHOIS result of the IP into the fixlet using whosip.exe instead of nslookup, but the results from the ISPs were unusable…