Wireshark GeoIP resolution setup V2.0

I already wrote a blog post about setting up GeoIP resolution for Wireshark in 2013. Now, almost exactly five years later I had to decide if I replace that one with an updated version, or to write a second, updated post instead. I choose the second option.

Since it happens that users run on old Wireshark versions for various reasons I decided against rewriting the existing blog post, even though I always recommend choosing the latest stable version. But sometimes it can’t be helped, e.g. when the OS repositories like Debian’s APT only offer old versions, or if you need a specific version to run custom plugins. Anyway, if you need to setup GeoIP resolution for versions before Wireshark version 2.6, look at this post instead.

In general GeoIP resolution maps IP addresses to physical locations and/or ASNs. This can be helpful to determine the origin or target of a communication, e.g. when performing network forensic tasks.

Wireshark 2.6 and GeoLite2

Starting with Wireshark 2.6, the format the GeoIP database used by Wireshark has changed to use the newer GeoLite2 format of the MaxMind databases. If you had configured an older Wireshark version with the previous “legacy” databases you’ll have to remove the old legacy DB files and replace them with the new ones, as well as reconfigure the 2.6 installation with new preference settings to point them to the database files. But first, you need to get them at https://dev.maxmind.com/geoip/geoip2/geolite2/

Update: MaxMind has changed the access to the database to require a personal account, which is free of charge. You need to create an account before you can download the files you need. The reasons for that are explained in a blog post here: https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/

So first, create your account, probably similar to this:

They will send you an email to set (“reset”) your password, containing a link you need to open. After you have created your account, write down/save your credentials (and API access token they give you during the initial password reset, in case you want to automate the download later). After you log in, click the “Download Databases” Link in your “Account Summary” page:

In the list of available files, get the ones for “GeoLite2 ASN”, “GeoLite2 City” and “GeoLite2 Country ” as GZIPed files:

 

Unpack the database files into a directory of your choice. I usually put them into a sub directory of my Wireshark profile folder, which would be c:\Users\Jasper\Appdata\Roaming\Wireshark\GeoIP:

Figure 2 – GeoIP Database Folder

Hint: Make sure that you put the .mmdb files into the directory you want to use, not the compressed archives. Also, do not put the files in sub folders – they all need to be in a single directory.

Then it’s time to reconfigure Wireshark:

Figure 3 – Wireshark GeoIP folder setup

In my experience, Wireshark doesn’t always immediately show GeoIP resolutions, but at least after restarting it the decode pane should show the results:

Figure 4 – Wireshark GeoIP Resolution

Auto Updating the database files

I wrote a small Windows batch script that pulls the latest files from the MaxMind website and unpacks them into a directory. You can use it e.g. as something that the Task Schedules runs every once in a while to keep your files current. I put the script on GitHub here:

https://github.com/packetfoo/GeoIPDBUpdate

Update: the auto update described above only worked until they required a login. Now there’s a page MaxMind setup describing the update process, at least of Linux/*nix operating systems: https://dev.maxmind.com/geoip/geoipupdate/

Command line bonus

If you looked closely at the Wireshark 2.6 installer you may have noticed that there is a new command line utility called mmdbresolve. This is a tool that can be used to perform GeoIP resolutions via the CLI. First I tried it like this (my inputs in green):

[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb 81.209.179.74
[init]
db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb
db.0.status: OK
db.1.type: GeoLite2-City
mmdbresolve.status: true
# End init
Usage: mmdbresolve -f db_file [-f db_file ...]

[C:\Program Files\Wireshark]

This obviously didn’t work. Using the tool without an IP address put it into an interactive mode:

[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb
[init]
db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb
db.0.status: OK
db.1.type: GeoLite2-City
mmdbresolve.status: true
# End init
81.209.179.74
[81.209.179.74]
# GeoLite2-City
country.iso_code: DE
country.names.en: Germany
location.latitude: 51.299300
location.longitude: 9.491000
# End 81.209.179.74

^C
[C:\Program Files\Wireshark]

But after fiddling around a bit I found a way to get it to work:

[C:\Program Files\Wireshark]echo 81.209.179.81 | mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-A
SN.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb
[init]
db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb
db.0.status: OK
db.1.type: GeoLite2-City
db.1.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-ASN.mmdb
db.1.status: OK
db.2.type: GeoLite2-ASN
db.2.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb
db.2.status: OK
db.3.type: GeoLite2-Country
mmdbresolve.status: true
# End init
[81.209.179.81]
# GeoLite2-City
country.iso_code: DE
country.names.en: Germany
location.latitude: 51.299300
location.longitude: 9.491000
# GeoLite2-ASN
autonomous_system_organization: FNH media KG
autonomous_system_number: 31197
# GeoLite2-Country
country.iso_code: DE
country.names.en: Germany
# End 81.209.179.81

[C:\Program Files\Wireshark]

Have fun.

 

Discussions — 16 Responses

  • Johannes Weber May 7, 2018 on 10:17 am

    Do you already have experiences with IPv6 and GeoIP?

    Reply
    • Jasper Johannes Weber May 7, 2018 on 11:03 pm

      Yes, as far as having seen that it worked, using the beta IPv6 databases in legacy format – I didn’t really verify the results though.

      Reply
  • Christopher Maynard May 7, 2018 on 4:05 pm

    REM Below is a basic batch file to help with GeoIP lookups from the command-line.

    @ECHO OFF
    SETLOCAL

    SET BAT=%~NX0
    IF “%~1” == “” (
    GOTO USAGE
    )

    SET GEOIP_PATH=%APPDATA%\Wireshark\GeoIP
    ECHO %1 | mmdbresolve -f %GEOIP_PATH%\GeoLite2-City.mmdb -f %GEOIP_PATH%\GeoLite2-ASN.mmdb -f %GEOIP_PATH%\GeoLite2-Country.mmdb
    GOTO :EOF

    :USAGE
    ECHO Usage: %BAT% ^

    Reply
  • Gerald Combs May 7, 2018 on 8:16 pm

    If you’re using Wireshark 2.4 or earlier you should be aware that MaxMind is discontinuing their GeoLite Legacy databases: https://dev.maxmind.com/geoip/legacy/geolite/

    Reply
    • Jasper Gerald Combs May 7, 2018 on 11:04 pm

      Thanks Gerald, maybe that’ll move a few more people off of old Wireshark versions 😀

      Reply
  • Christopher Maynard May 7, 2018 on 8:49 pm

    Note that there is a bug with the Endpoints dialog with respect to GeoIP lookups: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14656

    Reply
    • Jasper Christopher Maynard May 7, 2018 on 11:01 pm

      Thanks, Chris, that’s good to know 🙂

      Reply
  • Vladimir May 8, 2018 on 10:55 am

    Just wondered why my 192.168.99.101 local IP was interpreted as ‘Guam Yigo Village’ 🙂

    Reply
    • Jasper Vladimir May 8, 2018 on 11:06 am

      LOL – maybe someone sneaked that info into the DB files 😀

      Reply
  • Christian Reusch May 10, 2018 on 7:00 pm

    Very useful article. Was not aware of that change before I read your article

    Reply
  • Timo May 11, 2018 on 8:44 am

    Do you have any articles for IP2Location LITE?

    Reply
    • Jasper Timo May 11, 2018 on 11:35 am

      No, sorry – I assume you mean using IP2Location LITE with Wireshark? As far as I know Wireshark doesn’t support IP2Location databases – if you’d like to see them to be supported I’d recommend opening a feature request at https://bugs.wireshark.org. Maybe somebody will look into it then.

      Reply
  • JMcGill August 27, 2018 on 7:42 am

    Hi,
    I’ve use Ubuntu and WIreshark 2.6.
    I have copied the new GeoIP2 mmdb files into /usr/share/GeoIP and /var/lib/GeoIP. Then pointed WIreshark to the proper folders, restarted, and still no GeoIP information in the decode window or in the Endpoints window.

    Do you have any ideas or could you provide a walkthrough? Thank you.

    Reply
    • Jasper JMcGill August 27, 2018 on 11:21 am

      I am not sure why it’s not working. I tried the same setup as you have (database files in /usr/share/GeoIP) as well as putting them in a subfolder of my wireshark config directory in my home path (I also changed the permissions accordingly). Neither worked, not even when running Wireshark as root (which shouldn’t be done anyway). I’m not exactly sure why, but you might want to open a bug report at https://bugs.wireshark.org.

      Reply
  • Sergio December 27, 2018 on 5:11 pm

    Hi! This is a very helpful article. Just one question, I followed all the steps and my GeoIP is working normally in Wireshark, I mean I can see the country and city of each packet in Endpoints window. But, the Map button isn’t showing in this window. What can be happening? I’m using Wireshark version 2.6.0. Thanks in advance!

    Reply
    • Jasper Sergio December 27, 2018 on 7:19 pm

      Hi Sergio, thanks for the feedback. As far as I know the Map button has not been ported to the QT GUI version (which replaces GTK since Wireshark version 2.0), so for the time being there won’t be a map until someone implements this feature. Sorry!

      Reply

*