Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2019-04-11 20:57:11 +0000

cmaynard gravatar image

Due to Bug 14691 - tshark does not print GeoIP information, you may not be able to reliably accomplish this with tshark yet; however, you should be able to use Wireshark.

Steps:

  1. Open capture file
  2. Statistics -> Endpoints
  3. Copy -> as CSV
  4. Open new, empty text file
  5. Paste copied data into new file
  6. Save file with .csv extension
  7. Open file in Excel

Once Bug 14691 is resolved, then you should be able to use tshark. Check the man page for more options, but a simple example might be:

tshark -r file.pcap -T fields -E separator=, -E quote=d -e ip.src -e ip.geoip.src_country  -e ip.geoip.src_city -e ip.dst -e ip.geoip.dst_country -e ip.geoip.dst_city > file.csv

Add as many fields as you wish using repeated -e options. You can check the Wireshark Internet Protocol Version 4 Display Filter Reference page for other geoip-related fields you might be interested in.