corelight/ip-distance — reverse-engineered prompt

Build me a small Zeek package that adds a new ip_distance log for network traffic. I want it to calculate Metcalf’s IP distance for each connection when the connection is removed, so I can review how far apart the two IP addresses are as part of normal connection logging.

Please make it feel usable out of the box, with sensible log fields, a short explanation of what the metric means, and clear notes on how to run it and see the new log in action. If there are edge cases where the distance should not be calculated, handle those cleanly instead of breaking logging.

Also include a simple test or sample traffic check so I can confirm the log is being generated correctly, and add a brief blog style writeup that explains the idea in plain English and why someone looking at network data might care about this metric. If you need details on the metric, look up the current reference online.