The GeoIP UAT entries should contain the absolute paths of directories that
contain GeoIP databases, and not the paths to the databases themselves. Try
changing one of the entries to the path of your "Downloads" directory, deleting
the other two entries, and restarting Wireshark. I've updated the tooltip in the
name resolution preferences to explain this a little better.
If the databases load correctly, you should see GeoIP data in
"Statistics->Endpoint List->IPv4" as well as in the IP packet detail.
The following GeoIP display filter fields are currently defined:
ip.geoip.asnum
ip.geoip.city
ip.geoip.country
ip.geoip.dst_asnum
ip.geoip.dst_city
ip.geoip.dst_country
ip.geoip.dst_isp
ip.geoip.dst_org
ip.geoip.isp
ip.geoip.org
ip.geoip.src_asnum
ip.geoip.src_city
ip.geoip.src_country
ip.geoip.src_isp
ip.geoip.src_org
They are all strings, so you can filter using the "contains" and "matches"
operators, e.g.
ip.geoip.asnum contains "17374"
ip.geoip.city matches "(?i)peculiar, mo"
Peter Fuller wrote:
> I've tried out the GeoIP API, but I don't see any results. My steps:
> I've downloaded three .dat files from maxmind:
>
> -rw-r--r--@ 1 rkm rkm 1138900 Jan 12 22:12 Downloads/GeoIP.dat
> -rw-r--r-- 1 rkm rkm 2204468 Jan 12 22:12 Downloads/GeoIPASNum.dat
> -rw-r--r--@ 1 rkm rkm 29945302 Jan 12 22:13 Downloads/GeoLiteCity.dat
>
> I've updated the UAT to have one entry with the absolute path to these
> files. I have
> the filter preferences reference geoip information, but I don't know
> what the format of any
> of the values should be. I removed the PROTO_ITEM_SET_HIDDEN so that I
> could see what the values for, say, ip.geoip.country look like ('usa'?
> 'us'? 'US'?, etc), but I still get now values shown next to the IP
> addresses after recompiling.
>
> Am I doing something wrong?
>
> TShark 1.1.2 (SVN Rev 27212)
>
> Copyright 1998-2009 Gerald Combs <gerald@xxxxxxxxxxxxx> and
> contributors.
> This is free software; see the source for copying conditions. There is
> NO
> warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
> PURPOSE.
>
> Compiled with GLib 2.14.6, with libpcap 0.9.8, with libz 1.2.3,
> without POSIX
> capabilities, with libpcre 4.5, with SMI 0.4.3, without c-ares, with
> ADNS, with
> Lua 5.1, with GnuTLS 2.2.0, with Gcrypt 1.4.0, with MIT Kerberos, with
> GeoIP.
>
> Running on Darwin 9.6.0 (MacOS 10.5.6), with libpcap version 0.9.8,
> GnuTLS
> 2.2.0, Gcrypt 1.4.0.
>
> Built using gcc 4.0.1 (Apple Inc. build 5465).
>
> ___________________________________________________________________________
> Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives: http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
> mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe
--
Join us for Sharkfest’09 | Stanford University, June 15 – 18
http://www.cacetech.com/sharkfest.09/
EARLY REGISTRATION DISCOUNTS through JANUARY 31, 2009
