Wireshark-dev: Re: [Wireshark-dev] GeoIP and what to expect

From: Peter Fuller <randomkodemonkey@xxxxxxxxxxxxxx>
Date: Wed, 14 Jan 2009 21:45:16 +0000

First, thanks for this feature, don't want to seem as though I'm complaining about something that might be still 'beta'.

The Statistics->Endpoint List->IPv4 reveals the Country, AS Number, and City columns. However, no use of any ip.geoip display fields related to asnum, city, or country show anything in the packet details,

i.e. Even though the Country column shows "Japan" and "United States", all of these display filters show an empty packet details window:

ip.geoip.country contains "Japan"
ip.geoip.country contains "U"
ip.geoip.counry == "Japan"

Oh. DUH. Searching the code, I stumbled across the 'Enable GeoIP lookups' preference. After enabling that, I get the data I expected in the packet details list and the display filters work as expected.

Perhaps a comment in the Protocols->IP pane stating something like "GeoIP settings can be changed in the Name Resolution preferences, similar to the entry for SNMP for MIB settings would help to connect the two locations?

rkm

On Jan 14, 2009, at 5:54 PM, Gerald Combs wrote:

The GeoIP UAT entries should contain the absolute paths of directories that contain GeoIP databases, and not the paths to the databases themselves. Try changing one of the entries to the path of your "Downloads" directory, deleting the other two entries, and restarting Wireshark. I've updated the tooltip in the
name resolution preferences to explain this a little better.

If the databases load correctly, you should see GeoIP data in
"Statistics->Endpoint List->IPv4" as well as in the IP packet detail.

The following GeoIP display filter fields are currently defined:

 ip.geoip.asnum
 ip.geoip.city
 ip.geoip.country
 ip.geoip.dst_asnum
 ip.geoip.dst_city
 ip.geoip.dst_country
 ip.geoip.dst_isp
 ip.geoip.dst_org
 ip.geoip.isp
 ip.geoip.org
 ip.geoip.src_asnum
 ip.geoip.src_city
 ip.geoip.src_country
 ip.geoip.src_isp
 ip.geoip.src_org

They are all strings, so you can filter using the "contains" and "matches"
operators, e.g.

 ip.geoip.asnum contains "17374"
 ip.geoip.city matches "(?i)peculiar, mo"

Peter Fuller wrote:
I've tried out the GeoIP API, but I don't see any results. My steps:
I've downloaded three .dat files from maxmind:

-rw-r--r--@ 1 rkm  rkm   1138900 Jan 12 22:12 Downloads/GeoIP.dat
-rw-r--r-- 1 rkm rkm 2204468 Jan 12 22:12 Downloads/ GeoIPASNum.dat -rw-r--r--@ 1 rkm rkm 29945302 Jan 12 22:13 Downloads/ GeoLiteCity.dat

I've updated the UAT to have one entry with the absolute path to these
files.  I have
the filter preferences reference geoip information, but I don't know
what the format of any
of the values should be. I removed the PROTO_ITEM_SET_HIDDEN so that I could see what the values for, say, ip.geoip.country look like ('usa'?
'us'? 'US'?, etc), but I still get now values shown next to the IP
addresses after recompiling.

Am I doing something wrong?

TShark 1.1.2 (SVN Rev 27212)

Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and
contributors.
This is free software; see the source for copying conditions. There is
NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
PURPOSE.

Compiled with GLib 2.14.6, with libpcap 0.9.8, with libz 1.2.3,
without POSIX
capabilities, with libpcre 4.5, with SMI 0.4.3, without c-ares, with
ADNS, with
Lua 5.1, with GnuTLS 2.2.0, with Gcrypt 1.4.0, with MIT Kerberos, with
GeoIP.

Running on Darwin 9.6.0 (MacOS 10.5.6), with libpcap version 0.9.8,
GnuTLS
2.2.0, Gcrypt 1.4.0.

Built using gcc 4.0.1 (Apple Inc. build 5465).

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe


--
Join us for Sharkfest’09  |  Stanford University, June 15 – 18
http://www.cacetech.com/sharkfest.09/

EARLY REGISTRATION DISCOUNTS through JANUARY 31, 2009
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe