THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Why is geolocation not working

I have all three MaxMind databases (Country, City, ASN) downloaded and unzipped into a folder I named MaxMind. I went to wireshark preferences and clicked name resolution. Then I clicked on the edit button for MaxMind database directories and added the file path of the folder that contains the databases. I have checked the file path and it is correct but wireshark still does resolve any location. If I go the wireshark Statistics tab, then select endpoints, and then select the IPv4 tab there is no location data displayed. Anyone have an Idea why this is? Thanks

mmcap64's avatar
1
mmcap64
asked 2022-09-05 13:56:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What's the status of the IPv4 protocol dissector preference for geolocation? Is it on?

Jaap's avatar Jaap (2022-09-05 15:02:19 +0000) edit
more
  • delete

You can test outside of wireshark using mmdbresolve (man page).
If that is working properly, can you update the question with output of wireshark -v.

Chuckc's avatar Chuckc (2022-09-05 15:26:00 +0000) edit
more
  • delete

Where is the "IPv4 protocol dissector preference for geolocation" option located? I don't see it in preferences menu or the statistics menu.

mmcap64's avatar mmcap64 (2022-09-05 18:37:29 +0000) edit
more
  • delete

Chuckc When I use mmdbresolve at the cmd prompt as shown by the example I get the following. 'mmdbresolve' is not recognized as an internal or external command, operable program or batch file.

mmcap64's avatar mmcap64 (2022-09-05 19:09:54 +0000) edit
more
  • delete

You'll likely need to either cd into the Wireshark directory or use the full path to mmdbresolve, i.e. C:\Program Files\Wireshark\mmdbresolve.exe.

grahamb's avatar grahamb (2022-09-05 19:32:55 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

0

IIRC you need to restart Wireshark to make GeoLocation active, not sure why and/or if there is already an issue raised for this. But could you try if that fixes it for you?

SYN-bit's avatar
18.5k
SYN-bit
answered 2022-09-06 08:50:12 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

The Map option under the Endpoint is no longer available on version 4 of Wireshark. Use version 3.6.8 instead for that to work, until Wireshark releases the next update.

arthurvp's avatar
1
arthurvp
answered 2022-10-19 06:12:16 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Which "version 4" are you running?
On the released version (4.0.0 (v4.0.0-0-g0cbe09cd796b)) the Map button is on the left side and works fine if a tab is selected with IP addresses.

Chuckc's avatar Chuckc (2022-10-19 13:18:42 +0000) edit
more
  • delete

Current open issue for 4.0.0 - 18320: Qt: maxmind/geoip columns not added to Endpoints table

Chuckc's avatar Chuckc (2022-10-19 13:20:59 +0000) edit
more
  • delete

Thanks for responding Chuckc! I did the following with no luck: -update from v3.6.8 to v.4.0.0 and restart WS. -uninstall everything completely and did a fresh 4.0.0 install and restart WS. -reboot after the installation. All to no avail. No Map button but a Map dropdown box on the left side is there and becomes available if the iPv4 column is selected. Geomap will be displayed as soon as the Browser is selected from the dropdown, which is good, but I really wish the Geo Column(s) are still displayed on the Endpoint window. Let me know if you have the trick. Tnx!

arthurvp's avatar arthurvp (2022-10-20 03:45:36 +0000) edit
more
  • delete

I really wish the Geo Column(s) are still displayed on the Endpoint window.

That's what the issue #18320 to which Chuckc referred was about.

Let me know if you have the trick.

The only trick to get those columns is to wait for 4.0.1 to be released and then update to 4.0.1, or, if you're willing to take a risk with a "cutting edge" build rather than an official release, try one of the 4.0-branch automated builds - get the latest "Wireshark-win64-3.6.9rc0" build from the current set of automated Win64 builds (don't do a 4.1.0 build, that's from the main branch and has a higher risk of buggy behavior or behavior that may change in the 4.2.0 release next year).

There's no trick to force 4.0.0 to show them - it's not ... (more)

Guy Harris's avatar Guy Harris (2022-10-20 06:04:56 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer