MaxMind GeoIP support in 3.0.8.2

Kevin Branch kevin at branchnetconsulting.com
Fri Sep 28 17:24:43 EDT 2018 

Looks like GeoIP is linked in already:

# ldd `which ralabel`
        linux-vdso.so.1 =>  (0x00007ffddaf8a000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f5fe67c9000)
        libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f5fe65ab000)
        libGeoIP.so.1 => /usr/lib/x86_64-linux-gnu/libGeoIP.so.1
(0x00007f5fe637c000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f5fe5fb3000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f5fe6acf000)

I switched to just "lat,lon" like you suggested in ralabel.conf:

# cat /etc/ralabel.conf

RALABEL_ARIN_COUNTRY_CODES=no

RALABEL_GEOIP_ASN=yes
RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"

RALABEL_GEOIP_CITY="lat,lon"
RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"


But I don't see anything but ASNs getting added in:

# ra -r /argus/today/unt-01.arg -w - | ralabel -f /etc/ralabel.conf -r - -s
sas,das,scity,dcity,icity | head -n20
   sAS    dAS
  4323
  4323
  4323
 22927   4323
  6582   4323
  7018   4323
  4323      3
  4323
  4323  15169
  4323
  4323
  4323  15169
  4323  21928
  2828   4323

Thoughts?
Kevin

On Fri, Sep 28, 2018 at 2:36 PM Carter Bullard <carter at qosient.com> wrote:

> Hey Kevin,
> If you do a ./configure —help you’ll see all the options that ./configure
> supports.  If you specify —with-GeoIP it wants the directory where the
> GeoIP library is.
>   —with-GeoIP=DIR. compile with GeoIP in <dir>
>
> You can check if the library is bound to the client binaries with ldd …
>    ldd `which ralabel`
>
> If you’re already bound, the city stuff should work ….  I’m not familiar
> with “reg,cco” as GeoIP City objects off the top of my head.  I’m familiar
> with “off,cont,lat,lon,region,city,cname”.  Maybe try lat,lon as a test, as
> I use that all the time ..
>
> Carter
>
>
>
> On Sep 28, 2018, at 1:59 PM, Kevin Branch <kevin at branchnetconsulting.com>
> wrote:
>
> Hi Carter,
>
> I was just trying today to make ralabel on argus 3.0.8.2 do GeoIP labeling
> with GeoIPCity.dat, but even though the file referred to in ralabel.conf
> for that purpose exists, no GeoIP labeling takes place.    ASN lookups work
> great, but ralabel never adds any scity or dcity fields.
>
> My ralabel.conf:
>
> RALABEL_ARIN_COUNTRY_CODES=no
>
> RALABEL_GEOIP_ASN=yes
> RALABEL_GEOIP_ASN_FILE="/usr/local/share/GeoIP/GeoIPASNum.dat"
>
> RALABEL_GEOIP_CITY="reg,cco"
> RALABEL_GEOIP_CITY_FILE="/usr/local/share/GeoIP/GeoIPCity.dat"
>
>
> No errors are thrown by ralabel.  I thought maybe I needed to specially
> compile in GeoIP support like I read about here:
> https://qosient.com/argus/geolocation.shtml
> but when I run "./configure --with-GeoIP=yes" it throws this error:
>
> configure: WARNING: unrecognized options: --with-GeoIP
>
> However, I presume the fact that ASN lookups work means that MaxMind GeoIP
> support libraries are already installed, and presumably installed by
> default in the latest argus now.
>
> # ra -r /argus/today/unt-01.arg -w - | ralabel -f /etc/ralabel.conf -r -
> -s sas,das,scity,dcity,icity | head -n20
>    sAS    dAS
>   4323
>   4323
>   4323
>  22927   4323
>   6582   4323
>   7018   4323
>   4323      3
>   4323
>   4323  15169
>   4323
>   4323
>   4323  15169
>   4323  21928
>   2828   4323
>
> Any thoughts on what I am missing or how I might further debug this issue?
>
> Thanks!
> Kevin
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20180928/d4290e25/attachment.html>

More information about the argus mailing list