FastNetMon

Tuesday 21 April 2015

How to enable GeoIP support in tshark / Wireshark console

First of all you need install GeoIP databases.

On Debian system you could do it with apt-get:
apt-get install -y geoip-database
Then you should specify folder with GeoIP databases to Wireshark:
mkdir -p ~/.wireshark
echo '"/usr/share/GeoIP"' > ~/.wireshark/geoip_db_paths
Finally, you could call tshark with enable GeoIP lookup mode:
tshark -n -i venet0 -V  -o "ip.use_geoip: TRUE" -c 1
As result you will get following screen:
   Source: xx.xx.xx.xx (xx.xx.xx.xx)    Destination: xx.xx.xx.xx (xx.xx.xx.xx)    [Source GeoIP: Germany]        [Source GeoIP Country: Germany]    [Destination GeoIP: Germany]        [Destination GeoIP Country: Germany] 
If you want use this ability in console scripts I recommend following approach:
tshark -n -i venet0 -V  -o "ip.use_geoip: TRUE" -T fields -e ip.dst -e ip.geoip.dst_country 
It will provide something like this:
117.169.1.130 China117.169.1.130 China117.169.1.130 China117.169.1.130 China117.169.1.130 China117.169.1.130 China117.169.1.130 China 
Definitely  you could use geoip in filters too:

tshark -n -i venet0  -o "ip.use_geoip: TRUE" -R "ip.geoip.country==China"

No comments :

Post a Comment

Note: only a member of this blog may post a comment.