#!/usr/bin/perl -w
#
# reverse_lookup
#
# AUTHOR:
#   Dan Harkless                                                    <opensource@
#   http://harkless.org/dan/software/                              harkless.org>
#
# COPYRIGHT:
#   This file is Copyright (C) 2004 by Dan Harkless, and is released under the
#   GNU General Public License <http://www.gnu.org/copyleft/gpl.html>.
#
# DESCRIPTION: 
#   Does NetBIOS and DNS reverse lookups on a list of IP addresses.
#
#   More specifically, takes a list of files on the commandline (or reads stdin 
#   if none are specified), and filters them, outputting to stdout, looking for
#   an IP address on each input line.  If found, "<IP_address>" is replaced with
#   "<IP_address>\t<NetBIOS_lookup>\t<DNS_lookup>" on output (where \t, of 
#   course, means a TAB).
#
#   The NetBIOS lookup result is formatted as <group>\<hostname>, where <group>
#   is the NT domain or workgroup name.  This lookup is done with 'nbtstat', and
#   on Windows XP, at least, it requires administrative privileges to run.  If
#   you log in as a non-privileged user, you'll have to do something akin to 
#   running the script from a Cygwin session started with 
#   'runas /user:Administrator C:\cygwin\cygwin.bat' (doubling those 
#   backslashes, of course, if you run that from bash).  
#  
#   The DNS reverse lookup is done with 'nslookup'.  If either lookup result is
#   unavailable, that TAB-separated field will simply be blank.
#
#   Note that if there is other text on the input lines besides the IP address,
#   it will be passed through unchanged (which implies that lines not containing
#   any IP addresses will be completely unchanged).  Also note that if there are
#   multiple IP addresses on a line, only the first one will be 
#   'reverse_lookup'ed.
#
#   This script has only been tested under Cygwin Perl.
#
# DATE        MODIFICATION
# ==========  ==================================================================
# 2004-03-23  Print an empty string rather than "\" if nbtstat fails on a host.
# 2004-03-03  There can be more than one "<00>  UNIQUE" line (e.g. a second one
#             with "IS~" prepended) -- only take the 1st one for that and GROUP.
# 2004-02-27  If there is other text on the input lines besides the IP address,
#             pass it through unaltered.
# 2004-01-30  Original.


while (<>) {
    if (/^(.*?)(\d+\.\d+\.\d+\.\d+)(.*?)$/) {
        $beginning_of_line = $1;
        $ip = $2;
        $end_of_line = $3;

        $nbtstat = "";
        open NBTSTAT, "nbtstat -a $ip |";
	$hostname = "";
	$groupname = "";
        while (<NBTSTAT>) {
            if    (/^    ([^ ]+).*<00>  UNIQUE/) {
    	        $hostname = $1;
    	    }
	    elsif (/^    ([^ ]+).*<00>  GROUP/) {
	        $groupname = $1;
	    }
	    if ($hostname and $groupname) {
		last;
	    }
        }
        close NBTSTAT;
	if ($groupname) {
	    $nbtstat = "$groupname\\$hostname";
	}
	elsif ($hostname) {
	    $nbtstat = $hostname;
	}

        $nslookup = "";
        open NSLOOKUP, "nslookup $ip 2>&1 |";
        while (<NSLOOKUP>) {
            if (/^Name: *([^ \n]+)/) {
	        $nslookup = $1;
            }
        }
        close NSLOOKUP;

        print "$beginning_of_line$ip\t$nbtstat\t$nslookup$end_of_line\n";
    }
    else {
        print;
    }
}