Due to Bug 14691 - tshark does not print GeoIP information, you may not be able to reliably accomplish this with tshark yet; however, you should be able to use Wireshark.
Steps:
Once Bug 14691 is resolved, then you should be able to use tshark. Check the man page for more options, but a simple example might be:
tshark -r file.pcap -T fields -E separator=, -E quote=d -e ip.src -e ip.geoip.src_country -e ip.geoip.src_city -e ip.dst -e ip.geoip.dst_country -e ip.geoip.dst_city > file.csv
Add as many fields as you wish using repeated -e options. You can check the Wireshark Internet Protocol Version 4 Display Filter Reference page for other geoip-related fields you might be interested in.
Hi. Thank you for your comments. I have been using your example: tshark -r file.pcap - T fields -E separator=... and it works well directly from the command line...no bugs. It sends the file to Excel and displays it...works well. So what I would like to do is geo locate the ip address from Excel. According to the "Overview Method" description in this link: https://labs.mwrinfosecurity.com/blog... ...it is possible. Are you familiar with this; is there an easier way ??
I'm not familiar with doing this from within Excel, but if Wireshark is already providing you with the lookup information, I don't really see the need. If that's what you want though, and you're having difficulties with it, then maybe try contacting MWR Infosecurity for help with it?
I will try with your "complete" example as you typed it. No reason why it shouldn't work.
Hi. I tested: tshark -r test.pcap -T fields -E header=y -E separator=, -e ip.src -e ip.geoip.src_country ...the command displays the source ip address and the port..only...syntax issue ?? I'm working with tshark version 3.0.0...Can I ask you to test the command in your PC and let me know what you get ??
Why not use the GeoIP functionality of tshark/wireshark?
See:
I've been using the update_geoip.bat file I wrote and posted on the Wireshark Toolswiki page to download the Maxmind database files. The batch file was inspired by Jasper's [UpdateGeoIPDB.cmd] (https://github.com/packetfoo/GeoIPDBU...) file, but has some enhancements to it, such as not actually downloading the files if you already have the latest versions, and using built-in Windows tools to try to avoid additional dependencies if possible, to name a couple. Run update_geoip.bat -h for help or just view the batch file in any text editor to see what it does.
I had assumed that the person asking the question already had the Maxmind database files and had already configured Wireshark to use them, but if not then obviously that is required first. Getting the database files and configuring Wireshark is only the first step though; my answer describes how to get the ...
Hi. I'm new to tshark. How do I look at bug 14691? What did you discover in 14691? I tested: tshark -r test.pcap -T fields -E separator=, -E quote=d -e ip.src -e ip.geoip.src_country...it displays the source ip address and the port..only...in version 3.0.0 of tshark.
Asked: 2019-04-11 18:25:14 +0000
Seen: 1,300 times
Last updated: Apr 11 '19
