IP Sort & Compare

What is IP Sorting?

IP address sorting orders a list of IP addresses by their numeric value rather than their string representation. This distinction is critical because the default alphabetical (lexicographic) sort used by most text tools produces nonsensical results for IP addresses.

Consider a simple list: 10.0.0.1, 10.0.0.2, 10.0.0.10. An alphabetical sort places 10.0.0.10 between 10.0.0.1 and 10.0.0.2 because the string “10” comes before “2” character by character. A numeric sort correctly places 10.0.0.10 after 10.0.0.2, matching the logical structure of the address space.

This problem gets worse with real-world data. A firewall rule set with hundreds of IP addresses becomes unreadable when sorted alphabetically, and comparing two such lists to find differences becomes nearly impossible.

Numeric vs Alphabetic Sort

The root cause of the problem is that IP addresses look like strings but represent numbers. Each IPv4 address is a 32-bit unsigned integer displayed as four decimal octets separated by dots. The correct way to sort them is to compare by numeric value, not by character codes.

The Comparison

Address	Alphabetic Position	Numeric Position
10.0.0.1	1st	1st
10.0.0.10	2nd	4th
10.0.0.100	3rd	5th
10.0.0.2	4th	2nd
10.0.0.20	5th	3rd

The alphabetic sort is wrong because it compares character-by-character: the character ‘1’ (ASCII 49) is less than ‘2’ (ASCII 50), so “10” sorts before “2”, and “100” sorts before “20”.

How Numeric Sorting Works

Numeric IP sorting converts each address to a single 32-bit integer for comparison:

1. Parse each octet as an integer: 10.0.0.2 becomes [10, 0, 0, 2]
2. Convert to a 32-bit value: 10 * 2^24 + 0 * 2^16 + 0 * 2^8 + 2 = 167,772,162
3. Sort by the integer values

Alternatively, you can sort octet by octet: compare the first octets; if equal, compare the second; and so on. This produces the same result without computing large integers and is the most intuitive approach.

For IPv6 addresses, the same principle applies but with 128-bit values or 8 groups of 16-bit values. The addresses must be normalized first (expanding :: shorthand and removing leading zeros) to ensure consistent comparison.

Deduplication

IP sorting naturally pairs with deduplication — removing duplicate entries from a list. When working with merged lists from multiple sources (different firewall exports, multiple log files, or combined whitelists), duplicates are common and must be removed before the data is useful.

The standard workflow is:

1. Parse all IPs from the input
2. Validate each address (discard malformed entries)
3. Sort numerically
4. Deduplicate by removing consecutive identical entries (efficient on a sorted list)
5. Output the clean, sorted, unique list

This produces a canonical representation that is easy to compare, audit, and import into other tools.

Common Use Cases

• Firewall rule auditing: Sorting and deduplicating IP addresses from exported firewall configurations to identify redundant rules, missing entries, or unauthorized additions
• ACL comparison: Sorting two access control lists before running a diff to clearly show which addresses were added, removed, or changed between versions
• Whitelist management: Maintaining a sorted, deduplicated master whitelist that can be diffed against active configurations to detect drift
• Log analysis: Sorting extracted IPs from access logs to quickly identify ranges, spot patterns, and group related addresses
• Incident response: Merging IP indicators of compromise (IOCs) from multiple threat intelligence feeds into a single sorted, deduplicated blocklist
• Network documentation: Producing clean, sorted IP inventories for network documentation, compliance audits, and capacity planning reports