First of all you need install GeoIP databases.
On Debian system you could do it with apt-get:
On Debian system you could do it with apt-get:
apt-get install -y geoip-databaseThen you should specify folder with GeoIP databases to Wireshark:
mkdir -p ~/.wireshark
echo '"/usr/share/GeoIP"' > ~/.wireshark/geoip_db_paths
Finally, you could call tshark with enable GeoIP lookup mode:
tshark -n -i venet0 -V -o "ip.use_geoip: TRUE" -c 1As result you will get following screen:
Source: xx.xx.xx.xx (xx.xx.xx.xx) Destination: xx.xx.xx.xx (xx.xx.xx.xx) [Source GeoIP: Germany] [Source GeoIP Country: Germany] [Destination GeoIP: Germany] [Destination GeoIP Country: Germany]If you want use this ability in console scripts I recommend following approach:
tshark -n -i venet0 -V -o "ip.use_geoip: TRUE" -T fields -e ip.dst -e ip.geoip.dst_countryIt will provide something like this:
117.169.1.130 China117.169.1.130 China117.169.1.130 China117.169.1.130 China117.169.1.130 China117.169.1.130 China117.169.1.130 ChinaDefinitely you could use geoip in filters too:
tshark -n -i venet0 -o "ip.use_geoip: TRUE" -R "ip.geoip.country==China"
No comments :
Post a Comment
Note: only a member of this blog may post a comment.