First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

GeoIP with Tshark in linux without GUI

Hi, I compiled the source code of wireshark with out wireshark(it's a vm without GUI). Then i searched for place to put the Maxmind.dat files.. i found some various places to put it in there, but i couldn't extract the geoip.country with tshark. Example of my tshark command: tshark -r test.pcap -T json -e ip.geoip.src_country

The places i tried to put the geoip_db_paths file: /usr/share/wireshark, /usr/local/lib/wireshark, /usr/local/lib64/wireshark, /usr/local/include/wirehshark /usr/local/shark/wireshark

Thanks.

JohnSynAck's avatar
5
JohnSynAck
asked 2018-12-17 09:18:30 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Hi

Can you let us know exactly how you compiled this please. I Have the same issue, GeoIP works when tshark is installed from package, but not compiled.

Many thanks

GB_123's avatar GB_123 (2020-04-11 15:25:03 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

Note that there was a change to GeoIP from Wireshark 2.6 onwards, we now use the GeoLite2 databases and API, see the wiki page on How To Use GeoIP for more info.

You can see the built in paths for the GeoIP pages by using the tshark option -G folders which shows all directory locations currently used by tshark.

grahamb's avatar
23.8k
grahamb
answered 2018-12-17 09:56:11 +0000
edit flag offensive 0 remove flag delete link
more

Comments

If I don't have GeoIP paths there? Do I need to recompile it with other args? Today i compiling wireshark like this: cmake -DBUILD_wireshark=OFF then, make and make install

JohnSynAck's avatar JohnSynAck (2018-12-17 17:44:40 +0000) edit
more
  • delete

And what does tshark -G folders produce for you, no "MaxMind database path" entries?

When you run the cmake step, does the output show "MaxMindDB" under the "found" packages, e.g.

-- The following OPTIONAL packages have been found:

...
 * MaxMindDB
...

If not, then you'll need to install the appropriate MaxMind support library in a place that can be found by CMake. You'll need to report the platform\distribution you're using if you want us to help with that, but the MaxMind GitHub page might help.

grahamb's avatar grahamb (2018-12-17 18:12:03 +0000) edit
more
  • delete

It's working, Thank you very much!

JohnSynAck's avatar JohnSynAck (2018-12-17 18:50:49 +0000) edit
more
  • delete

For the benefit of others who may have the same issue, can you post a comment on what you changed to get it working?

grahamb's avatar grahamb (2018-12-17 19:09:05 +0000) edit
more
  • delete

I installed libmaxminddb and recompiled tshark.

JohnSynAck's avatar JohnSynAck (2018-12-19 14:23:14 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer