Can't extract MaxmindDb's columns from tshark

asked 2018-12-19 14:38:43 +0000

JohnSynAck gravatar image

updated 2018-12-31 18:12:14 +0000

cmaynard gravatar image

Hi, I compiled tshark on linux without GUI(wireshark 2.6.4). I downloaded the GeoIP databases mmdb files.. When I typed tshark -G folders I got:

MaxMind database path:  /usr/share/GeoIP
MaxMind database path:  /var/lib/GeoIP
MaxMind database path:  /usr/share/GeoIP

I put my files in there but it didn't extract the data.. I tried to run the command like this:

tshark -r  test.pcap -o "ip.use_geoip: TRUE"  -T json

I didn't get the columns of GeoIp. Do you have any suggestions why it doesn't work? Thanks.

edit retag flag offensive close merge delete

Comments

Can you provide the tshark -v output? In particular, does it show with MaxMind DB resolver?

cmaynard gravatar imagecmaynard ( 2018-12-31 18:11:13 +0000 )edit

This seems like bug 14691 to me.

Jaap gravatar imageJaap ( 2019-01-01 09:28:02 +0000 )edit

Good catch, @Jaap; I had forgotten about that one.

cmaynard gravatar imagecmaynard ( 2019-01-01 15:16:03 +0000 )edit

Just logging same problem manifests on Ubuntu downloaded TShark (Wireshark) 2.6.5 (Git v2.6.5 packaged as 2.6.5-1~ubuntu18.04.0) "... with MaxMind DB resolver ..." and GeoLite2-ASN.mmdb file installed: ASN results show in Wireshark (same version) but not tshark.

jonathanjo gravatar imagejonathanjo ( 2019-01-17 12:41:59 +0000 )edit

This issue still exists on version 2.6.6, anything new regarding this issue? I still can't see the geo info when using tshark.

tman gravatar imagetman ( 2019-03-06 15:30:45 +0000 )edit
see more comments