Can't extract MaxmindDb's columns from tshark

  • retag add tags

Hi, I compiled tshark on linux without GUI(wireshark 2.6.4). I downloaded the GeoIP databases mmdb files.. When I typed tshark -G folders I got:

MaxMind database path:  /usr/share/GeoIP
MaxMind database path:  /var/lib/GeoIP
MaxMind database path:  /usr/share/GeoIP

I put my files in there but it didn't extract the data.. I tried to run the command like this:

tshark -r  test.pcap -o "ip.use_geoip: TRUE"  -T json

I didn't get the columns of GeoIp. Do you have any suggestions why it doesn't work? Thanks.

JohnSynAck's avatar
5
JohnSynAck
asked 2018-12-19 14:38:43 +0000
cmaynard's avatar
11.1k
cmaynard
updated 2018-12-31 18:12:14 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Can you provide the tshark -v output? In particular, does it show with MaxMind DB resolver?

cmaynard's avatar cmaynard (2018-12-31 18:11:13 +0000) edit
more
  • delete

This seems like bug 14691 to me.

Jaap's avatar Jaap (2019-01-01 09:28:02 +0000) edit
more
  • delete

Good catch, @Jaap; I had forgotten about that one.

cmaynard's avatar cmaynard (2019-01-01 15:16:03 +0000) edit
more
  • delete

Just logging same problem manifests on Ubuntu downloaded TShark (Wireshark) 2.6.5 (Git v2.6.5 packaged as 2.6.5-1~ubuntu18.04.0) "... with MaxMind DB resolver ..." and GeoLite2-ASN.mmdb file installed: ASN results show in Wireshark (same version) but not tshark.

jonathanjo's avatar jonathanjo (2019-01-17 12:41:59 +0000) edit
more
  • delete

This issue still exists on version 2.6.6, anything new regarding this issue? I still can't see the geo info when using tshark.

tman's avatar tman (2019-03-06 15:30:45 +0000) edit
more
  • delete
add a comment see more comments