Wireshark-bugs: [Wireshark-bugs] [Bug 5077] New: GeoIP: Display Filter comparisons operators do
Date: Wed, 4 Aug 2010 14:58:41 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5077

           Summary: GeoIP: Display Filter comparisons operators do not
                    seem to work for negative latitude or longitude
                    values...
           Product: Wireshark
           Version: 1.2.10
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: TShark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: rwhalb@xxxxxxxxxxxx


Created an attachment (id=4999)
 --> (https://bugs.wireshark.org/bugzilla/attachment.cgi?id=4999)
20 HTTP pkts for bug report diagnostic...

Build Information:
TShark 1.2.10

Copyright 1998-2010 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.24.1, with libpcap 1.0.0, with libz 1.2.3,
without
POSIX capabilities, with libpcre 7.8, with SMI 0.4.8, with c-ares 1.7.0, with
Lua 5.1, with GnuTLS 2.8.6, with Gcrypt 1.4.5, with MIT Kerberos, with GeoIP.

Running on Linux 2.6.33.6-147.2.4.fc13.i686, with libpcap version 1.0.0, GnuTLS
2.8.6, Gcrypt 1.4.5.

Built using gcc 4.4.4 20100630 (Red Hat 4.4.4-10).
--
It appears that the standard Display Filter comparison operators have trouble
when comparing negative longitude and/or latitude values.

Assumption: Negative longitude values (-180.0 to 0.0 degrees longitude) are
consider west and (0.0 to -90.0 degrees latitude) values are consider south.

I have a included a small capture that has 20 http packets which includes
conversations from Schenectady, New York to Mountain View, California and
Schenectady, New York to Brisbane, Australia.

GeoLocation Info (MaxMind GeoCity Lite Database):
=================================================
Schenectady:   IP: 24.97.150.194,  Lat: 42.8059997559, Lon:  -73.9415969849
Mountain View: IP: 173.194.33.104, Lat: 37.4192008972, Lon: -122.057403564
Brisbane:      IP: 210.247.137.24, Lat: -27.5,         Lon:  153.016693115

What Works:
===========
A display filter to only show traffic from latitudes south of 10 degrees north
latitude (i.e., In this capture only traffic from Brisbane Australia):

/usr/sbin/tshark -n -t r -r "/tmp/capture_file.cap" -R '(ip.geoip.src_lat
<"10.0") || (ip.geoip.dst_lat < "10.0")' -o 'ip.use_geoip:TRUE';

  1   0.000000 24.97.150.194 -> 210.247.137.24 TCP 4701 > 80 [SYN] Seq=0
Win=64512 Len=0 MSS=1460
  2   0.286177 210.247.137.24 -> 24.97.150.194 TCP 80 > 4701 [SYN, ACK] Seq=0
Ack=1 Win=65535 Len=0 MSS=1380
  3   0.287401 24.97.150.194 -> 210.247.137.24 TCP 4701 > 80 [ACK] Seq=1 Ack=1
Win=64512 Len=0
  4   0.290005 24.97.150.194 -> 210.247.137.24 HTTP GET / HTTP/1.1 
  5   0.703850 210.247.137.24 -> 24.97.150.194 HTTP HTTP/1.1 200 OK 
  6   0.706037 210.247.137.24 -> 24.97.150.194 HTTP Continuation or non-HTTP
traffic (text/html)
  7   0.707786 24.97.150.194 -> 210.247.137.24 TCP 4701 > 80 [ACK] Seq=978
Ack=1504 Win=64512 Len=0
 14   0.987600 210.247.137.24 -> 24.97.150.194 HTTP Continuation or non-HTTP
traffic
 15   0.988054 210.247.137.24 -> 24.97.150.194 HTTP Continuation or non-HTTP
traffic
 16   0.989186 210.247.137.24 -> 24.97.150.194 HTTP Continuation or non-HTTP
traffic
 17   0.990211 24.97.150.194 -> 210.247.137.24 TCP 4701 > 80 [ACK] Seq=978
Ack=4264 Win=64512 Len=0
 18   0.990778 24.97.150.194 -> 210.247.137.24 TCP 4701 > 80 [ACK] Seq=978
Ack=5644 Win=64512 Len=0
 19   0.994129 24.97.150.194 -> 210.247.137.24 TCP 4704 > 80 [SYN] Seq=0
Win=64512 Len=0 MSS=1460
 20   0.995460 24.97.150.194 -> 210.247.137.24 TCP 4705 > 80 [SYN] Seq=0
Win=64512 Len=0 MSS=1460


What Does Not Work:
===================
A display filter to only show traffic from latitudes south of 10 degrees south
latitude (i.e., In this capture only traffic from Brisbane Australia):

/usr/sbin/tshark -n -t r -r "/tmp/capture_file.cap" -R '(ip.geoip.src_lat
<"-10.0") || (ip.geoip.dst_lat < "-10.0")' -o 'ip.use_geoip:TRUE'; 

- No decode output with above display filter...

Summary:
========
Brisbane is a latitude (-27.5). -27.5 is less than -10.0.
It appears that negative floating point number are not handled correctly (Or I
am doing it incorrectly) with the standard Display Filter comparison operators.

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.