If you read my last post titled “Troubleshooting Wireshark’s IP Endpoint Map” then you know I found a workaround for the Endpoint maps not working in IE9 or Firefox.
After completing that post I downloaded the latest version of Wireshark and installed it.
When I got it up and running I first tested to see if it had the same problem as before with the maps not showing at all in IE9. Yes it had the same problem. So I renamed the existing Map Template file to ipmapOriginal then copied the new template file I created to the Wireshark program file directory. It will let you open and edit the contents in Notepad++ in the program files directory , but it will not let you save the changes you made to the file in that directory.It popped up a message telling me to check if it is open by another program. It was most likely a Access denied error that was suppressed. I originally had to copy the file to another directory and then modify it in that directory in order to make the changes.
You can rename the existing file there with UAC enabled, and it will just pop up a warning asking for permission to make the change.
After doing another test with the new template file in place, the map did show up in IE9 and Firefox, but when checking the points on the map I realized that the “AS” data was missing from the maps. (hmm this IP Look Familiar)
So I looked back in Wireshark and the data was there but, there was a extra Column labeled AS Number but it was all blank. As you can see below.
So at this point I’m thinking I messed up something on the new install because I didn’t let the old version remove the saved settings on the uninstall. I uninstalled this new version and then reinstalled the version that came out just before this one and then tested again. Same problem. I Uninstalled again , cleaned any files and folders left behind and then rebooted then went back yet another version and installed that one. Same problem. So that kind of ruled out just a version problem because the same thing happened in all 3 versions.
Next I start searching the source code but nothing was real apparent why it would Display 2 columns with the same name. I compared the three versions of the source code in the same section and the code was the same, so that part didn’t change. So I reinstalled the latest version of Wireshark again fixed up my settings, added the saved profile and restated it.
From what I have seen in the source code, the way the program works is, it searches the listed directory that you supply for the GEO.dat files for the listed IP number then returns the data associated with the IP and the “AS” number (Autonomous System Number) here are a few interesting links for more information on the AS numbers (Link 1 , Link2 , Link3) then it fills the data into the columns if the IP was found in the database.
See here on using the GEOIP in Wireshark.
Next I started looking back at older maps that were created and looked at the html source to see when the data started to disappear. I didn’t have to go very far back but, I did have to move the old file versions from the temp folder to a new folder so I could sort by creation date easier.
That helped me narrow down when it started happening but not the why. So what had happened around that time where the data started missing from the map files. The only thing I could remember at the time what was done, I had installed a newer version of Wireshark but I don’t remember it being a problem then or I just never noticed the extra column because you have to expand out the box to see it. Also at the time I wasn’t looking at the maps even though I was doing allot of captures to get information for a test I was doing with remote assistance on my local network.
My next step was to look in the folder where the GEO files were located. The ones that were needed for the IPV4 data were there but so were the IPV6 versions, so I moved those to a sub folder then restarted Wireshark and surfed random sites from my history to get a lot of different locations to map. I then stopped the capture and checked the IPV4 section to see what it looked like.
As you can see from the screen shot it is back to normal.
So what was the problem ?
The best I can tell, without being able to step thru the code in a debugger, was when it was looking for the files, it found 2 of the country files in the folder, the IPV4 and the IPV6 versions and was trying to load one column for each file, but the IPV4 section would not load the IPV6 version information in the second column and when it was getting the information for building the maps it was getting the information from the variable for the second column (which was blank) instead of the first column where the data was actually showing up. So the program must not expect 2 columns in that section. In the source code it is looking for files that start with “GEO” and end with “dat” which all of the files in the folder did so it tried to load the data in them.
If you have this problem, just check and see if you have the IPV6 files in the same folder with the IPV4 files.
It may be of help for the IPV6 support to have a separate folder to put the IPV6 files into and then direct the program to that folder like it does for the IPV4 files. Or the harder way is to add more validation to verify the contents of the files instead of just the names.
While researching the GEO IP data files on the MaxMind site Here I read in there forums that the GeoLite databases were having a accuracy problem in the beginning of 2012 and even giving locations in the wrong country or several hundred miles away. The problems were supposed to have been solved in later versions.
The Endpoint maps feature is not a make it or break it feature of Wireshark but it is nice to look up some of the locations on occasion to get an idea of were the traffic is going.
Another thing I noticed was that if you have multiple IP’s working out to be the same location or “AS” number then you still only get one point on the map.
It would be nice to see how many different IP’s mapped to that 1 point. There may be a way to do it in the template, the locations are already added to the file they would just have to be implemented. But that is a research project for another day.
That’s it for this time.
I hope someone found this helpful.
Filed under: RootAdmin