Home/ Questions/Q 7049189
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T02:58:58+00:00

Sample data: { 10116079620: {‘ip.dst’: [‘10.1.1.5’], ‘ip.src’: [‘1.2.3.4’], ‘category’: [‘Misc’]}, 10116882439: {‘ip.dst’: [‘1.2.3.4’], ‘ip.src’:

  • 0

Sample data:

{
    10116079620: {'ip.dst': ['10.1.1.5'], 'ip.src': ['1.2.3.4'], 'category': ['Misc']}, 
    10116882439: {'ip.dst': ['1.2.3.4'], 'ip.src': ['10.1.1.5'], 'category': ['Misc']}, 
    10116080136: {'ip.dst': ['10.10.10.99'], 'ip.src': ['1.2.3.4'], 'category': ['Misc']}, 
    10116884490: {'ip.dst': ['10.10.10.99'], 'ip.src': ['2.3.4.5'], 'alias': ['www.example.com'], 'category': ['Misc']}, 
    10117039635: {'ip.dst': ['2.3.4.5'], 'ip.src': ['10.11.11.50'], 'alias': ['google.com'], 'category': ['Misc']}, 
    10118099993: {'ip.dst': ['1.2.3.4'], 'ip.src': ['10.11.11.49'], 'alias': ['www.google.com'], 'category': ['Misc']},
    10118083243: {'ip.dst': ['10.11.11.49'], 'ip.src': ['4.3.2.1'], 'alias': ['www.google.com'], 'category': ['Misc']}}
}

Goal:

My goal is to search the sample dictionary with a value (IP address) that is known to exist though it is not known if it will appear in ip.dst or ip.src. Once found I want to write the “opposite” (other) IP address to a new list… if the searched address was found in ip.src I want to capture ip.dst and vice versa.

A searched address can be found more than once – the resulting list does not need to reflect duplicates.

If 1.2.3.4 is searched then the following would be captured:
* 10.1.1.5
* 10.10.10.99
* 10.11.11.49

Searching on 10.10.10.99 would capture:
* 1.2.3.4
* 2.3.4.5

This I’m sure is simple yet I am stuck with nasty, nested loops and need a concise routine clearer than my mud.

Your assistance is appreciated.

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Step 1. Invert the dictionary.

    dst= collections.defaultdict( list )
src= collections.defaultdict( list )
for k in original:
    for addr in original[k]['ip.dst']:
        dst[addr].append( k )
    for addr in original[k]['ip.src']:
        src[addr].append( k )

    Step 2. Don’t search, just get the value.

    You do two nearly instant checks into dst[addr] and src[addr] and you know all the keys in the original dictionary where it occurred.

    Inverting the dictionary takes time.

    Building better dictionaries in the first place (i.e., indexed by ip.dst and ip.src) saves the cost of inverting the dictionary you already have.

    • 0