If your copy of Wireshark supports MaxMind’s MaxMindDB library, you can use their databases to match IP addresses to countries, cites, autonomous system numbers, and other bits of information. Some databases are available at no cost for registered users, while others require a licensing fee. See the MaxMind web site for more information.
The configuration for the MaxMind database is a user table, as described in Section 11.7, “User Table”, with the following fields:
The locations for your data files are up to you, but /usr/share/GeoIP
and /var/lib/GeoIP
are common on Linux and C:\ProgramData\GeoIP
,
C:\Program Files\Wireshark\GeoIP
might be good choices on Windows.
Previous versions of Wireshark supported MaxMind’s original GeoIP Legacy database format. They were configured similar to MaxMindDB files above, except GeoIP files must begin with Geo and end with .dat. They are no longer supported and MaxMind stopped distributing GeoLite Legacy databases in April 2018.