Ask Your Question
0

GeoIP with Tshark in linux without GUI

asked 2018-12-17 09:18:30 +0000

JohnSynAck gravatar image

Hi, I compiled the source code of wireshark with out wireshark(it's a vm without GUI). Then i searched for place to put the Maxmind.dat files.. i found some various places to put it in there, but i couldn't extract the geoip.country with tshark. Example of my tshark command: tshark -r test.pcap -T json -e ip.geoip.src_country

The places i tried to put the geoip_db_paths file: /usr/share/wireshark, /usr/local/lib/wireshark, /usr/local/lib64/wireshark, /usr/local/include/wirehshark /usr/local/shark/wireshark

Thanks.

edit retag flag offensive close merge delete

Comments

Hi

Can you let us know exactly how you compiled this please. I Have the same issue, GeoIP works when tshark is installed from package, but not compiled.

Many thanks

GB_123 gravatar imageGB_123 ( 2020-04-11 15:25:03 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-12-17 09:56:11 +0000

grahamb gravatar image

Note that there was a change to GeoIP from Wireshark 2.6 onwards, we now use the GeoLite2 databases and API, see the wiki page on How To Use GeoIP for more info.

You can see the built in paths for the GeoIP pages by using the tshark option -G folders which shows all directory locations currently used by tshark.

edit flag offensive delete link more

Comments

If I don't have GeoIP paths there? Do I need to recompile it with other args? Today i compiling wireshark like this: cmake -DBUILD_wireshark=OFF then, make and make install

JohnSynAck gravatar imageJohnSynAck ( 2018-12-17 17:44:40 +0000 )edit

And what does tshark -G folders produce for you, no "MaxMind database path" entries?

When you run the cmake step, does the output show "MaxMindDB" under the "found" packages, e.g.

-- The following OPTIONAL packages have been found:

...
 * MaxMindDB
...

If not, then you'll need to install the appropriate MaxMind support library in a place that can be found by CMake. You'll need to report the platform\distribution you're using if you want us to help with that, but the MaxMind GitHub page might help.

grahamb gravatar imagegrahamb ( 2018-12-17 18:12:03 +0000 )edit

It's working, Thank you very much!

JohnSynAck gravatar imageJohnSynAck ( 2018-12-17 18:50:49 +0000 )edit

For the benefit of others who may have the same issue, can you post a comment on what you changed to get it working?

grahamb gravatar imagegrahamb ( 2018-12-17 19:09:05 +0000 )edit

I installed libmaxminddb and recompiled tshark.

JohnSynAck gravatar imageJohnSynAck ( 2018-12-19 14:23:14 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-12-17 09:18:30 +0000

Seen: 693 times

Last updated: Dec 17 '18

Related questions

install tshark on windows with non admin user

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Failed to run MSBuild command (CMake Error at CMakeLists.txt:22 (project))

No CMAKE_C(XX)_COMPILER could be found

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

Help to set up a "pass through bridge" sniffer

can I install only tshark?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2