IP WHOIS Field Reference
May 22, 2025
The IP WHOIS Collection contains structured ownership and registration data for IP addresses and networks. It aggregates public WHOIS records to support attribution, infrastructure analysis, and threat actor profiling.
| Property | Description |
|---|---|
| Document | Each document represents WHOIS registration details for an IP address or IP range. |
| Unique Identifier | The ip field serves as the unique identifier for each document. |
| Default Fields | No default fields are defined for this collection. |
Addressing
This is the main entry point for searching and analyzing IP ownership and allocation.
ip
The IP address or range associated with the WHOIS record.
Field type: IP_RANGE
Examples: 1.1.1.1, 23.215.0.136
Usage in queries:
- Exact match:
- Multiple addresses:
- IP range:
Information
The information fields provide detailed registration data about the IP address or range, including abuse contacts, autonomous system information (ASN), and network metadata.
abuse
Abuse contact email addresses associated with the IP.
Field type: KEYWORD
Examples: [email protected], [email protected]
Usage in queries:
- Networks managed by Google:
abuse:"[email protected]" - Educational networks:
asn.cidr
CIDR range(s) announced by the ASN.
Field type: IP_RANGE
Examples: 192.0.2.0/24
asn.country
Country associated with the ASN registration. Always represented as a 2-digit code, following the ISO 3166-1 alpha-2 standard.
Field type: TEXT
Examples: US, DE
asn.name
Name or description of the autonomous system.
Field type: TEXT
Examples: GOOGLE, AMAZON-AES
Usage in queries:
- Search by AS name:
- Search by any name (net, related_nets or ASN):
asn.number
Autonomous System Number (ASN) assigned to the network.
Field type: KEYWORD
Examples: 15169, 13335
asn.registry
Regional Internet Registry (RIR) responsible for the ASN assignment.
The registries are:
ripencc: RIPE Network Coordination Centre, responsible for Europe, the Middle East, and parts of Central Asia.arin: American Registry for Internet Numbers, responsible for North America and parts of the Caribbean.apnic: Asia-Pacific Network Information Centre, responsible for the Asia-Pacific region.afrinic: African Network Information Centre, responsible for Africa.lacnic: Latin America and Caribbean Network Information Centre, responsible for Latin America and the Caribbean.
Field type: KEYWORD
Examples: ripencc, arin, apnic, afrinic, lacnic
asn.updated
Timestamp when the ASN registration was last updated.
Field type: DATE
Examples: 2023-09-01T12:00:00Z
net.address
Address associated with the IP range registration.
This field contains only the address itself, while net.city, net.country, and net.postal_code are in separate fields.
Field type: TEXT
Examples:
1600 Amphitheatre Parkway1 Hacker Way60313 Zeil
net.cidr
CIDR range representing the allocated IP block.
Field type: IP_RANGE
Examples: 192.0.2.0/24
net.city
City related to the IP network registration.
Combine this field with net.country and net.address to get full address information.
Field type: TEXT
Examples: Mountain View, Frankfurt
net.contacts.emails
Contact email addresses for the network.
Field type: KEYWORD
Examples: [email protected]
net.contacts.persons
Names of contact persons associated with the network.
Field type: TEXT
Examples: John Doe
net.contacts.phones
Phone numbers of network contacts.
Field type: KEYWORD
Examples: +1-650-253-0000
Usage in queries:
Contacts with Tokyo phones:
net.country
Country associated with the network.
Always represented as a 2-digit code, following the ISO 3166-1 alpha-2 standard.
Field type: TEXT
Examples: US
Usage in queries:
- Hong Kong networks:
- United Arab Emirates networks:
net.created
Date when the network registration was created, in the YYYY-MM-DD format.
Field type: DATE
Examples: 2016-08-17
net.description
Textual description of the network. In most cases, this is the organization name.
Field type: TEXT
Examples:
Google LLC IP RangeCERN - European Organization for Nuclear Research CH-1211 Geneva 23, Switzerland
Usage in queries:
net.end_ip
Ending IP address of the range, described by this document.
Field type: IP
Examples: 192.0.2.255
net.handle
Unique network handle assigned by the RIR.
Field type: KEYWORD
Examples: NET-192-0-2-0-1
net.name
Name of the IP network.
Field type: TEXT
Examples: GOOGLE
Usage in queries:
- Search by net name:
- Search by any name (net, related_nets or ASN):
net.net_size
Size of the IP range, calculated as the number of addresses.
Field type: LONG
Examples: 256
net.organization
Organization name associated with the network.
Field type: TEXT
Examples: Google LLC
Usage in queries:
net.postal_code
Postal code, related to address in net.address field.
Field type: KEYWORD
Examples: 72212
net.range
Textual representation of the IP range.
Field type: TEXT
Examples: 192.0.2.0 - 192.0.2.255
net.remarks
Additional notes or remarks related to the network, often about contact validation.
Field type: TEXT
net.start_ip
Starting IP address of the range, described by this document.
Field type: IP
Examples: 192.0.2.0
net.state
State associated with the network, related to the net.address field.
This field is mostly used for US-based networks and contains a 2-letter state abbreviation.
Field type: TEXT
Examples: TX, LA
net.updated
Timestamp when the network record was last updated, in the YYYY-MM-DD format.
Field type: DATE
Examples: 2024-12-05
related_nets
Related network blocks connected to the current network through shared organizations,
contacts, or administrative links. Fields have the same structure as net.
Field type: OBJECT
Service Fields
Service fields providing metadata about the document itself.
@timestamp
The timestamp when the document was indexed. This time is usually very close to the scan time, with only a few hours difference.
Field type: DATE
Examples:
2023-01-01T12:00:00Z2023-10-15T08:30:00Z
Usage in queries:
raw
The raw unstructured WHOIS text obtained from the registrar.
Field type: TEXT
Usage in queries:
Search "Microsoft" anywhere in raw whois response: