Wireshark · Wireshark-dev: Re: [Wireshark-dev] GeoIP and what to expect

Wireshark-dev: Re: [Wireshark-dev] GeoIP and what to expect

From: Gerald Combs <gerald@xxxxxxxxxxxxx>

Date: Wed, 14 Jan 2009 09:54:24 -0800

The GeoIP UAT entries should contain the absolute paths of directories that
contain GeoIP databases, and not the paths to the databases themselves. Try
changing one of the entries to the path of your "Downloads" directory, deleting
the other two entries, and restarting Wireshark. I've updated the tooltip in the
name resolution preferences to explain this a little better.

If the databases load correctly, you should see GeoIP data in
"Statistics->Endpoint List->IPv4" as well as in the IP packet detail.

The following GeoIP display filter fields are currently defined:

  ip.geoip.asnum
  ip.geoip.city
  ip.geoip.country
  ip.geoip.dst_asnum
  ip.geoip.dst_city
  ip.geoip.dst_country
  ip.geoip.dst_isp
  ip.geoip.dst_org
  ip.geoip.isp
  ip.geoip.org
  ip.geoip.src_asnum
  ip.geoip.src_city
  ip.geoip.src_country
  ip.geoip.src_isp
  ip.geoip.src_org

They are all strings, so you can filter using the "contains" and "matches"
operators, e.g.

  ip.geoip.asnum contains "17374"
  ip.geoip.city matches "(?i)peculiar, mo"

Peter Fuller wrote:
> I've tried out the GeoIP API, but I don't see any results.   My steps:
> I've downloaded three .dat files from maxmind:
> 
> -rw-r--r--@ 1 rkm  rkm   1138900 Jan 12 22:12 Downloads/GeoIP.dat
> -rw-r--r--  1 rkm  rkm   2204468 Jan 12 22:12 Downloads/GeoIPASNum.dat
> -rw-r--r--@ 1 rkm  rkm  29945302 Jan 12 22:13 Downloads/GeoLiteCity.dat
> 
> I've updated the UAT to have one entry with the absolute path to these  
> files.  I have
> the filter preferences reference geoip information, but I don't know  
> what the format of any
> of the values should be.   I removed the PROTO_ITEM_SET_HIDDEN so that I
> could see what the values for, say, ip.geoip.country look like ('usa'?  
> 'us'? 'US'?, etc), but I still get now values shown next to the IP  
> addresses after recompiling.
> 
> Am I doing something wrong?
> 
> TShark 1.1.2 (SVN Rev 27212)
> 
> Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and  
> contributors.
> This is free software; see the source for copying conditions. There is  
> NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR  
> PURPOSE.
> 
> Compiled with GLib 2.14.6, with libpcap 0.9.8, with libz 1.2.3,  
> without POSIX
> capabilities, with libpcre 4.5, with SMI 0.4.3, without c-ares, with  
> ADNS, with
> Lua 5.1, with GnuTLS 2.2.0, with Gcrypt 1.4.0, with MIT Kerberos, with  
> GeoIP.
> 
> Running on Darwin 9.6.0 (MacOS 10.5.6), with libpcap version 0.9.8,  
> GnuTLS
> 2.2.0, Gcrypt 1.4.0.
> 
> Built using gcc 4.0.1 (Apple Inc. build 5465).
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>              mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


-- 
Join us for Sharkfest’09  |  Stanford University, June 15 – 18
http://www.cacetech.com/sharkfest.09/

EARLY REGISTRATION DISCOUNTS through JANUARY 31, 2009

Follow-Ups:
- Re: [Wireshark-dev] GeoIP and what to expect
  - From: Peter Fuller

References:
- [Wireshark-dev] GeoIP and what to expect
  - From: Peter Fuller

Prev by Date: [Wireshark-dev] Bug#3153
Next by Date: Re: [Wireshark-dev] GeoIP and what to expect
Previous by thread: [Wireshark-dev] GeoIP and what to expect
Next by thread: Re: [Wireshark-dev] GeoIP and what to expect
Index(es):
- Date
- Thread