Wireshark GeoIP resolution setup V2.0
I already wrote a blog post about setting up GeoIP resolution for Wireshark in 2013. Now, almost exactly five years later I had to decide if I replace that one with an updated version, or to write a second, updated post instead. I choose the second option.
Since it happens that users run on old Wireshark versions for various reasons I decided against rewriting the existing blog post, even though I always recommend choosing the latest stable version. But sometimes it can’t be helped, e.g. when the OS repositories like Debian’s APT only offer old versions, or if you need a specific version to run custom plugins. Anyway, if you need to setup GeoIP resolution for versions before Wireshark version 2.6, look at this post instead.
In general GeoIP resolution maps IP addresses to physical locations and/or ASNs. This can be helpful to determine the origin or target of a communication, e.g. when performing network forensic tasks.
Wireshark 2.6 and GeoLite2
Starting with Wireshark 2.6, the format the GeoIP database used by Wireshark has changed to use the newer GeoLite2 format of the MaxMind databases. If you had configured an older Wireshark version with the previous “legacy” databases you’ll have to remove the old legacy DB files and replace them with the new ones, as well as reconfigure the 2.6 installation with new preference settings to point them to the database files. But first, you need to get them at https://dev.maxmind.com/geoip/geoip2/geolite2/
Update: MaxMind has changed the access to the database to require a personal account, which is free of charge. You need to create an account before you can download the files you need. The reasons for that are explained in a blog post here: https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
So first, create your account, probably similar to this:
They will send you an email to set (“reset”) your password, containing a link you need to open. After you have created your account, write down/save your credentials (and API access token they give you during the initial password reset, in case you want to automate the download later). After you log in, click the “Download Databases” Link in your “Account Summary” page:
In the list of available files, get the ones for “GeoLite2 ASN”, “GeoLite2 City” and “GeoLite2 Country ” as GZIPed files:
Unpack the database files into a directory of your choice. I usually put them into a sub directory of my Wireshark profile folder, which would be c:\Users\Jasper\Appdata\Roaming\Wireshark\GeoIP:
Hint: Make sure that you put the .mmdb files into the directory you want to use, not the compressed archives. Also, do not put the files in sub folders – they all need to be in a single directory.
Then it’s time to reconfigure Wireshark:
In my experience, Wireshark doesn’t always immediately show GeoIP resolutions, but at least after restarting it the decode pane should show the results:
Auto Updating the database files
I wrote a small Windows batch script that pulls the latest files from the MaxMind website and unpacks them into a directory. You can use it e.g. as something that the Task Schedules runs every once in a while to keep your files current. I put the script on GitHub here: https://github.com/packetfoo/GeoIPDBUpdate
Update: the auto update described above only worked until they required a login. Now there’s a page MaxMind setup describing the update process, at least of Linux/*nix operating systems: https://dev.maxmind.com/geoip/geoipupdate/
Command line bonus
If you looked closely at the Wireshark 2.6 installer you may have noticed that there is a new command line utility called mmdbresolve. This is a tool that can be used to perform GeoIP resolutions via the CLI. First I tried it like this (my inputs in green):
[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb 188.8.131.52 [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City mmdbresolve.status: true # End init Usage: mmdbresolve -f db_file [-f db_file ...] [C:\Program Files\Wireshark]
This obviously didn’t work. Using the tool without an IP address put it into an interactive mode:
[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City mmdbresolve.status: true # End init 184.108.40.206 [220.127.116.11] # GeoLite2-City country.iso_code: DE country.names.en: Germany location.latitude: 51.299300 location.longitude: 9.491000 # End 18.104.22.168 ^C [C:\Program Files\Wireshark]
But after fiddling around a bit I found a way to get it to work:
[C:\Program Files\Wireshark]echo 22.214.171.124 | mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-A SN.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City db.1.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-ASN.mmdb db.1.status: OK db.2.type: GeoLite2-ASN db.2.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb db.2.status: OK db.3.type: GeoLite2-Country mmdbresolve.status: true # End init [126.96.36.199] # GeoLite2-City country.iso_code: DE country.names.en: Germany location.latitude: 51.299300 location.longitude: 9.491000 # GeoLite2-ASN autonomous_system_organization: FNH media KG autonomous_system_number: 31197 # GeoLite2-Country country.iso_code: DE country.names.en: Germany # End 188.8.131.52 [C:\Program Files\Wireshark]
Do you already have experiences with IPv6 and GeoIP?
Yes, as far as having seen that it worked, using the beta IPv6 databases in legacy format – I didn’t really verify the results though.
REM Below is a basic batch file to help with GeoIP lookups from the command-line.
IF “%~1” == “” (
ECHO %1 | mmdbresolve -f %GEOIP_PATH%\GeoLite2-City.mmdb -f %GEOIP_PATH%\GeoLite2-ASN.mmdb -f %GEOIP_PATH%\GeoLite2-Country.mmdb
ECHO Usage: %BAT% ^
If you’re using Wireshark 2.4 or earlier you should be aware that MaxMind is discontinuing their GeoLite Legacy databases: https://dev.maxmind.com/geoip/legacy/geolite/
Thanks Gerald, maybe that’ll move a few more people off of old Wireshark versions 😀
Note that there is a bug with the Endpoints dialog with respect to GeoIP lookups: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=14656
Thanks, Chris, that’s good to know 🙂
Just wondered why my 192.168.99.101 local IP was interpreted as ‘Guam Yigo Village’ 🙂
LOL – maybe someone sneaked that info into the DB files 😀
Very useful article. Was not aware of that change before I read your article
Do you have any articles for IP2Location LITE?
No, sorry – I assume you mean using IP2Location LITE with Wireshark? As far as I know Wireshark doesn’t support IP2Location databases – if you’d like to see them to be supported I’d recommend opening a feature request at https://bugs.wireshark.org. Maybe somebody will look into it then.
I’ve use Ubuntu and WIreshark 2.6.
I have copied the new GeoIP2 mmdb files into /usr/share/GeoIP and /var/lib/GeoIP. Then pointed WIreshark to the proper folders, restarted, and still no GeoIP information in the decode window or in the Endpoints window.
Do you have any ideas or could you provide a walkthrough? Thank you.
I am not sure why it’s not working. I tried the same setup as you have (database files in /usr/share/GeoIP) as well as putting them in a subfolder of my wireshark config directory in my home path (I also changed the permissions accordingly). Neither worked, not even when running Wireshark as root (which shouldn’t be done anyway). I’m not exactly sure why, but you might want to open a bug report at https://bugs.wireshark.org.
Hi! This is a very helpful article. Just one question, I followed all the steps and my GeoIP is working normally in Wireshark, I mean I can see the country and city of each packet in Endpoints window. But, the Map button isn’t showing in this window. What can be happening? I’m using Wireshark version 2.6.0. Thanks in advance!
Hi Sergio, thanks for the feedback. As far as I know the Map button has not been ported to the QT GUI version (which replaces GTK since Wireshark version 2.0), so for the time being there won’t be a map until someone implements this feature. Sorry!