Wireshark-dev: [Wireshark-dev] GeoIP and what to expect
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Peter Fuller <randomkodemonkey@xxxxxxxxxxxxxx>
Date: Tue, 13 Jan 2009 22:00:01 +0000

I've tried out the GeoIP API, but I don't see any results.   My steps:
I've downloaded three .dat files from maxmind:

-rw-r--r--@ 1 rkm  rkm   1138900 Jan 12 22:12 Downloads/GeoIP.dat
-rw-r--r--  1 rkm  rkm   2204468 Jan 12 22:12 Downloads/GeoIPASNum.dat
-rw-r--r--@ 1 rkm  rkm  29945302 Jan 12 22:13 Downloads/GeoLiteCity.dat
I've updated the UAT to have one entry with the absolute path to these files. I have the filter preferences reference geoip information, but I don't know what the format of any 
of the values should be.   I removed the PROTO_ITEM_SET_HIDDEN so that I
could see what the values for, say, ip.geoip.country look like ('usa'? 'us'? 'US'?, etc), but I still get now values shown next to the IP addresses after recompiling. 

Am I doing something wrong?

TShark 1.1.2 (SVN Rev 27212)
Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled with GLib 2.14.6, with libpcap 0.9.8, with libz 1.2.3, without POSIX capabilities, with libpcre 4.5, with SMI 0.4.3, without c-ares, with ADNS, with Lua 5.1, with GnuTLS 2.2.0, with Gcrypt 1.4.0, with MIT Kerberos, with GeoIP.
Running on Darwin 9.6.0 (MacOS 10.5.6), with libpcap version 0.9.8, GnuTLS 
2.2.0, Gcrypt 1.4.0.

Built using gcc 4.0.1 (Apple Inc. build 5465).