GeoIP with Tshark in linux without GUI

asked 2018-12-17 09:18:30 +0000

JohnSynAck

Hi, I compiled the source code of wireshark with out wireshark(it's a vm without GUI). Then i searched for place to put the Maxmind.dat files.. i found some various places to put it in there, but i couldn't extract the with tshark. Example of my tshark command: tshark -r test.pcap -T json -e ip.geoip.src_country

The places i tried to put the geoip_db_paths file: /usr/share/wireshark, /usr/local/lib/wireshark, /usr/local/lib64/wireshark, /usr/local/include/wirehshark /usr/local/shark/wireshark


Can you let us know exactly how you compiled this please. I Have the same issue, GeoIP works when tshark is installed from package, but not compiled.

Many thanks

GB_123 ( 2020-04-11 15:25:03 +0000 )

1 Answer

answered 2018-12-17 09:56:11 +0000

grahamb

Note that there was a change to GeoIP from Wireshark 2.6 onwards, we now use the GeoLite2 databases and API, see the wiki page on How To Use GeoIP for more info.

You can see the built in paths for the GeoIP pages by using the tshark option -G folders which shows all directory locations currently used by tshark.

If I don't have GeoIP paths there? Do I need to recompile it with other args? Today i compiling wireshark like this: cmake -DBUILD_wireshark=OFF then, make and make install

JohnSynAck ( 2018-12-17 17:44:40 +0000 )

And what does tshark -G folders produce for you, no "MaxMind database path" entries?

When you run the cmake step, does the output show "MaxMindDB" under the "found" packages, e.g.

-- The following OPTIONAL packages have been found:

 * MaxMindDB

If not, then you'll need to install the appropriate MaxMind support library in a place that can be found by CMake. You'll need to report the platform\distribution you're using if you want us to help with that, but the MaxMind GitHub page might help.

grahamb ( 2018-12-17 18:12:03 +0000 )

It's working, Thank you very much!

JohnSynAck ( 2018-12-17 18:50:49 +0000 )

For the benefit of others who may have the same issue, can you post a comment on what you changed to get it working?

grahamb ( 2018-12-17 19:09:05 +0000 )

I installed libmaxminddb and recompiled tshark.

JohnSynAck ( 2018-12-19 14:23:14 +0000 )

Asked: 2018-12-17 09:18:30 +0000

