In Linux you can use regular expressions with grep to extract an IP address from a file. The grep command has the -E (extended regex) option to allow it to interpret a pattern as a extended regular expression.

The format of an IPv4 address is a 32-but numeric address, grouped 8 bits at a time (called an octet), each separated by a dot. Each octet can range from 0-255.

You can create a regular expression to look for 4 blocks of 1-3 digits separated by a dot, like so:

grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' ips.txt

That command would be fine for most purposes, but if there is an invalid IP address like 265.168.1.2 (remember an octet cannot be higher than 255) it would still find it.

Here is an example:

$ grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' ips.txt
123.321.234.712
999.999.999.999
192.168.5.5

We have to expand this regular expression to tell it to ignore numbers of 256 or higher. Here is an example of a regular expression that would only extract valid IP addresses.

$ grep -E '^((25[0-5]|2[0-4][0-9]|[1]?[1-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[1]?[1-9]?[0-9])$' ips.txt
192.168.5.5

The above does a good job, but it still has issues. It will not find an IP address with leading zeros, nor will it find an IP address with 0 as the only number of the octet. This regular expression would not match 10.0.0.5 for example.

In order to find a regular expression that can only extract valid IP addresses, we have to go to great lengths to validate every octet in the pattern. Here is an example:

$ grep "([^.]|^)([0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]).([0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]).([0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5]).([0-9]{1,2}|1[0-9]{2}|2[0-4][0-9]|25[0-5])([^.]|$)" ips.txt
192.168.5.5
10.0.0.4

Even the above is not without it's flaws.

It is an industry standard to remove leading zeros from addresses in both IPv4 and IPv6. But just because that is a standard way to represent IPv4 addresses, it doesn't mean everyone will.

For example, you could represent a zero filled octect with three zeros.

10.000.000.5 = 10.0.0.5

Both of these addresses would work fine on a network, but even ping removes the leading zeros.

$ ping 10.000.000.5
PING 10.000.000.5 (10.0.0.5) 56(84) bytes of data.
64 bytes from 10.0.0.5: icmp_seq=1 ttl=64 time=0.252 ms
64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=0.312 ms

There is a little tool built by some folks at Red Hat called ipcalc. It was originally built to calculate IP information for a host, but can also be used for IP address validation. Surely enough, this tool also calls and IP address with leading zeros an invalid IP address.

$ ipcalc -c 10.000.000.5
ipcalc: bad IPv4 address: 10.000.000.5

As you can see it is fairly easy to use grep and regular expressions to extract an IP address from a file. It is not so easy to ensure that the matched pattern is a valid IP address.

Related Articles:
How to grep Email Addresses from a Text File Using Regular Expressions