API Documentation
Overview
Driftnet contains comprehensive IP registration data, and makes that data reverse-searchable.
Reverse searching
One of the most powerful features of Driftnet is the ability to reverse-search IP registration data. Reverse searching is often essential for asset discovery.
IP registration reverse search uses the ip/reverse endpoint. The query you'll want to use most often is phrase=:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/reverse?phrase=virgin+atlantic' \
| jq .{
"page": 0,
"pages": 1,
"result_count": 29,
"results": [
{
"cidr": "108.178.189.8/29",
"contexts": [
"net"
],
"matches": [
"VIRGIN ATLANTIC AIRWAYS"
]
},
...Driftnet returns a maximum of 100 results per page. Use the page= parameter to select a particular page number. Page numbering starts at zero. The context field tells you how Driftnet made a match.
For more fine-grained control over where the reverse search matches, use the address= and phone= parameters. To search organization names, but allow the terms to occur in any order, use the name= parameter.
Other useful reverse searches are domain:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/reverse?domain=virginatlantic.com' \
| jq ....and email:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/[email protected]' \
| jq .Enclosing ranges
When reverse-searching, it can be annoying to see IP ranges which are enclosed completely within other results.
For example, if you get a result 8.8.0.0/16, you might not want to also be told about 8.8.8.0/24. If that is the case, set the outer_only=true parameter:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/reverse?phrase=virgin+atlantic&outer_only=true' \
| jq .IP WHOIS
We can search IP WHOIS data using the ip/whois endpoint.
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/whois?ip=8.8.8.8' \
| jq .{
"net": {
"cidr": "8.8.8.0/24",
"name_address": [],
"net_name": "LVLT-GOGL-8-8-8",
"created": "2014-03-14T16:52:05.000Z",
"last_modified": "2014-03-14T16:52:05.349Z",
"registry": "ARIN"
},
"org": {
"address": [
"1600 Amphitheatre Parkway",
"Mountain View",
"CA",
"94043",
"US"
],
"cidr": "8.8.8.0/24",
"name": "Google LLC",
"created": "2000-03-30T00:00:00.000Z",
"last_modified": "2019-10-31T15:45:45.762Z",
"registry": "ARIN"
}
}This endpoint returns information on the net (network block) surrounding the IP, and the org (organization) that is responsible for it.
The API also makes available more detailed information on the points-of-contact associated with the IP address:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/whois/pocs?ip=8.8.8.8' \
| jq .[
{
"address": [
"1600 Amphitheatre Parkway",
"Mountain View",
"CA",
"94043",
"US"
],
"cidr": "8.8.8.0/24",
"name": "Google Inc.",
"types": [
"org-abuse"
],
"created": "2015-11-06T15:36:35.219Z",
"emails": [
"[email protected]"
],
"last_modified": "2022-10-24T08:43:11.730Z",
"registry": "ARIN"
},
...
]Notice the types section here: this describes the type, or role, of point-of-contact being reported. Where the same point-of-contact is repeated in multiple roles, this array has multiple entries.
BGP WHOIS
IP WHOIS data shows the registered user of IP space. BGP WHOIS ("pwhois") data is a little different: it first checks the internet's core routing tables to see where traffic for your target IP address is actually routed, and then returns the registration data for the Autonomous System associated with that route.
In other words, BGP WHOIS can tell you who is actually using an IP address, not just who owns it. IP WHOIS and BGP WHOIS each have their advantages, and you'll typically want to check both.
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/pwhois?ip=8.8.8.8' \
| jq .{
"as": {
"as_name": "GOOGLE",
"as_number": "AS15169",
"cidr": "8.8.8.0/24",
"name_address": [],
"created": "2000-03-30T00:00:00.000Z",
"last_modified": "2012-02-24T09:44:34.000Z",
"registry": "ARIN"
},
"org": {
"address": [
"1600 Amphitheatre Parkway",
"Mountain View",
"CA",
"94043",
"US"
],
"as_name": "GOOGLE",
"as_number": "AS15169",
"cidr": "8.8.8.0/24",
"name": "Google LLC",
"created": "2000-03-30T00:00:00.000Z",
"last_modified": "2019-10-31T15:45:45.762Z",
"registry": "ARIN"
}
}To get point-of-contact information for BGP WHOIS, call ip/pwhois/pocs, which works in a similar way to ip/whois/pocs:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/pwhois/pocs?ip=8.8.8.8' \
| jq .Both the ip/pwhois and ip/pwhois/pocs endpoints accept an asn= parameter, which can be used to look up registration data by Autonomous System Number.
Referral WHOIS
Referral WHOIS ("rwhois") is ISP-level IP WHOIS data. It can be a little messy compared to the higher-level data, but it can still be useful. You can search it using the ip/rwhois endpoint.
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/rwhois?ip=104.149.7.236' \
| jq .DNS PTR records
Driftnet collects reverse DNS records (DNS PTRs) for the entire IPv4 space, and summarizes them. To see the CIDR around a specific IP address, call ip/rdns:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/rdns?ip=104.149.7.236' \
| jq .BGP routes
To find the Autonomous Systems advertising routes to a specific IP address, call ip/routes with the ip parameter set:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/routes?ip=8.8.8.8' \
| jq .To find all routes advertised by a particular AS, use the same endpoint with the asn parameter:
curl -s -H 'Authorization: Bearer <your-api-token>' \
'https://api.driftnet.io/v1/ip/routes?asn=AS15169' \
| jq .