I already wrote a blog post about setting up GeoIP resolution for Wireshark in 2013. Now, almost exactly five years later I had to decide if I replace that one with an updated version, or to write a second, updated post instead. I choose the second option.
Since it happens that users run on old Wireshark versions for various reasons I decided against rewriting the existing blog post, even though I always recommend choosing the latest stable version. But sometimes it can’t be helped, e.g. when the OS repositories like Debian’s APT only offer old versions, or if you need a specific version to run custom plugins. Anyway, if you need to setup GeoIP resolution for versions before Wireshark version 2.6, look at this post instead.
Wireshark 2.6 and GeoLite2
Starting with Wireshark 2.6, the format the GeoIP database used by Wireshark has changed to use the newer GeoLite2 format of the MaxMind databases. If you had configured an older Wireshark version with the previous “legacy” databases you’ll have to remove the old legacy DB files and replace them with the new ones, as well as reconfigure the 2.6 installation with new preference settings to point them to the database files. But first, you need to get them at https://dev.maxmind.com/geoip/geoip2/geolite2/
Update: MaxMind has changed the access to the database to require a personal account, which is free of charge. You need to create an account before you can download the files you need. The reasons for that are explained in a blog post here: https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-geolite2-databases/
So first, create your account, probably similar to this:
They will send you an email to set (“reset”) your password, containing a link you need to open. After you have created your account, write down/save your credentials (and API access token they give you during the initial password reset, in case you want to automate the download later). After you log in, click the “Download Databases” Link in your “Account Summary” page:
In the list of available files, get the ones for “GeoLite2 ASN”, “GeoLite2 City” and “GeoLite2 Country ” as GZIPed files:
Unpack the database files into a directory of your choice. I usually put them into a sub directory of my Wireshark profile folder, which would be c:\Users\Jasper\Appdata\Roaming\Wireshark\GeoIP:
Hint: Make sure that you put the .mmdb files into the directory you want to use, not the compressed archives. Also, do not put the files in sub folders – they all need to be in a single directory.
Then it’s time to reconfigure Wireshark:
In my experience, Wireshark doesn’t always immediately show GeoIP resolutions, but at least after restarting it the decode pane should show the results:
Auto Updating the database files
I wrote a small Windows batch script that pulls the latest files from the MaxMind website and unpacks them into a directory. You can use it e.g. as something that the Task Schedules runs every once in a while to keep your files current. I put the script on GitHub here:
Update: the auto update described above only worked until they required a login. Now there’s a page MaxMind setup describing the update process, at least of Linux/*nix operating systems: https://dev.maxmind.com/geoip/geoipupdate/
Command line bonus
If you looked closely at the Wireshark 2.6 installer you may have noticed that there is a new command line utility called mmdbresolve. This is a tool that can be used to perform GeoIP resolutions via the CLI. First I tried it like this (my inputs in green):
[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb 22.214.171.124 [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City mmdbresolve.status: true # End init Usage: mmdbresolve -f db_file [-f db_file ...] [C:\Program Files\Wireshark]
This obviously didn’t work. Using the tool without an IP address put it into an interactive mode:
[C:\Program Files\Wireshark]mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City mmdbresolve.status: true # End init 126.96.36.199 [188.8.131.52] # GeoLite2-City country.iso_code: DE country.names.en: Germany location.latitude: 51.299300 location.longitude: 9.491000 # End 184.108.40.206 ^C [C:\Program Files\Wireshark]
But after fiddling around a bit I found a way to get it to work:
[C:\Program Files\Wireshark]echo 220.127.116.11 | mmdbresolve.exe -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-A SN.mmdb -f C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb [init] db.0.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-City.mmdb db.0.status: OK db.1.type: GeoLite2-City db.1.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-ASN.mmdb db.1.status: OK db.2.type: GeoLite2-ASN db.2.path: C:\Users\Jasper\AppData\Roaming\Wireshark\GeoIP\GeoLite2-Country.mmdb db.2.status: OK db.3.type: GeoLite2-Country mmdbresolve.status: true # End init [18.104.22.168] # GeoLite2-City country.iso_code: DE country.names.en: Germany location.latitude: 51.299300 location.longitude: 9.491000 # GeoLite2-ASN autonomous_system_organization: FNH media KG autonomous_system_number: 31197 # GeoLite2-Country country.iso_code: DE country.names.en: Germany # End 22.214.171.124 [C:\Program Files\Wireshark]