How To Use GeoIP With Wireshark

MaxMind produces databases and software for geolocation. Wireshark 1.1.2 and later can use MaxMind's GeoIP (purchase) and GeoLite (free) databases to look up the city, country, AS number, and other information for an IP address.

Getting Started

To see if your copy of Wireshark supports GeoIP and GeoLite, go to Help→About Wireshark and look for GeoIP in the "Compiled with" paragraph.

Wireshark does not ship with any GeoIP or GeoLite databases, so you have to download them yourself. You can get them at the following locations:

• GeoLite City, Country, and ASNum: http://geolite.maxmind.com/download/geoip/database/ (free download)

• GeoIP products: http://www.maxmind.com/app/products (purchase required)

It's more convenient if you put all of the databases in the same directory. Once you've downloaded your databases, you must tell Wireshark where they are. Go to Edit→Preferences→Name Resolution and select GeoIP database directories. Add the full path of each database directory, as shown below:

Now, restart Wireshark. At this point you should be able to load a capture file, select Statistics→Endpoints, and see GeoIP information in any tab that contains IP addresses (IP, TCP, UDP, etc).

You can optionally see GeoIP data in the IP packet detail tree. To enable this, go to Edit→Preferences→Protocols→IP and make sure Enable GeoIP lookups is checked.

Filtering Traffic

You can use the ip.geoip display filters to filter traffic.

Exclude U.S.-based traffic:

 ip and not ip.geoip.country == "United States" 

Show address above the arctic circle:

 ip.geoip.lat > "66.5"