Wireshark · Wireshark-dev: Re: [Wireshark-dev] GeoIP and what to expect

[Peter Fuller <randomkodemonkey@xxxxxxxxxxxxxx>]

First, thanks for this feature, don't want to seem as though I'm  
complaining about something that might be still 'beta'.

The Statistics->Endpoint List->IPv4 reveals the Country, AS Number,  
and City columns.  However, no use of any ip.geoip display fields  
related to asnum, city, or country show anything in the packet details,

i.e. Even though the Country column shows "Japan" and "United States",  
all of these display filters show an empty packet details window:

ip.geoip.country contains "Japan"
ip.geoip.country contains "U"
ip.geoip.counry == "Japan"

Oh.  DUH.  Searching the code, I stumbled across the 'Enable GeoIP  
lookups' preference.   After enabling that, I get the data I expected  
in the packet details list and the display filters work as expected.

Perhaps a comment in the Protocols->IP pane stating something like  
"GeoIP settings can be changed in the Name Resolution preferences,  
similar to the entry for SNMP for MIB settings would help to connect  
the two locations?

rkm

On Jan 14, 2009, at 5:54 PM, Gerald Combs wrote:

> The GeoIP UAT entries should contain the absolute paths of  
> directories that
> contain GeoIP databases, and not the paths to the databases  
> themselves. Try
> changing one of the entries to the path of your "Downloads"  
> directory, deleting
> the other two entries, and restarting Wireshark. I've updated the  
> tooltip in the
> name resolution preferences to explain this a little better.
>
> If the databases load correctly, you should see GeoIP data in
> "Statistics->Endpoint List->IPv4" as well as in the IP packet detail.
>
> The following GeoIP display filter fields are currently defined:
>
>  ip.geoip.asnum
>  ip.geoip.city
>  ip.geoip.country
>  ip.geoip.dst_asnum
>  ip.geoip.dst_city
>  ip.geoip.dst_country
>  ip.geoip.dst_isp
>  ip.geoip.dst_org
>  ip.geoip.isp
>  ip.geoip.org
>  ip.geoip.src_asnum
>  ip.geoip.src_city
>  ip.geoip.src_country
>  ip.geoip.src_isp
>  ip.geoip.src_org
>
> They are all strings, so you can filter using the "contains" and  
> "matches"
> operators, e.g.
>
>  ip.geoip.asnum contains "17374"
>  ip.geoip.city matches "(?i)peculiar, mo"
>
> Peter Fuller wrote:
> > I've tried out the GeoIP API, but I don't see any results.   My  
> > steps:
> > I've downloaded three .dat files from maxmind:
> >
> > -rw-r--r--@ 1 rkm  rkm   1138900 Jan 12 22:12 Downloads/GeoIP.dat
> > -rw-r--r--  1 rkm  rkm   2204468 Jan 12 22:12 Downloads/ 
> > GeoIPASNum.dat
> > -rw-r--r--@ 1 rkm  rkm  29945302 Jan 12 22:13 Downloads/ 
> > GeoLiteCity.dat
> >
> > I've updated the UAT to have one entry with the absolute path to  
> > these
> > files.  I have
> > the filter preferences reference geoip information, but I don't know
> > what the format of any
> > of the values should be.   I removed the PROTO_ITEM_SET_HIDDEN so  
> > that I
> > could see what the values for, say, ip.geoip.country look like  
> > ('usa'?
> > 'us'? 'US'?, etc), but I still get now values shown next to the IP
> > addresses after recompiling.
> >
> > Am I doing something wrong?
> >
> > TShark 1.1.2 (SVN Rev 27212)
> >
> > Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and
> > contributors.
> > This is free software; see the source for copying conditions. There  
> > is
> > NO
> > warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
> > PURPOSE.
> >
> > Compiled with GLib 2.14.6, with libpcap 0.9.8, with libz 1.2.3,
> > without POSIX
> > capabilities, with libpcre 4.5, with SMI 0.4.3, without c-ares, with
> > ADNS, with
> > Lua 5.1, with GnuTLS 2.2.0, with Gcrypt 1.4.0, with MIT Kerberos,  
> > with
> > GeoIP.
> >
> > Running on Darwin 9.6.0 (MacOS 10.5.6), with libpcap version 0.9.8,
> > GnuTLS
> > 2.2.0, Gcrypt 1.4.0.
> >
> > Built using gcc 4.0.1 (Apple Inc. build 5465).
> >
> > ___________________________________________________________________________
> > Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> > Archives:    http://www.wireshark.org/lists/wireshark-dev
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> >             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
>
>
> --
> Join us for Sharkfest’09  |  Stanford University, June 15 – 18
> http://www.cacetech.com/sharkfest.09/
>
> EARLY REGISTRATION DISCOUNTS through JANUARY 31, 2009
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe