Tutorial: Geolocation maxmindDB: geoip, t2mmdb

Introduction

The geoip plugin is a wrapper for the open source geolocation GeoIP/MaxMind DB. It supplies standard geolocation output in the flow file. In order to support a faster interface for quick IPv4/6 geolocation queries independent of tranalyzer the t2mmdb program is available since the 0.8.8 version.

In the next chapters we will discuss the geoip plugin and the operation of the t2mmdb program.

Preparation

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins and compile the following plugins:

$ t2build -e
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? y
Plugin folder emptied
$ t2build -f tranalyzer2 basicFlow tcpStates geoip txtSink
...
BUILD SUCCESSFUL

If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:

$ mkdir ~/data ~/results
$

The anonymized sample PCAP used in this tutorial can be downloaded here: faf-exercise.pcap Please extract it under your data folder. Now you are all set for T2 IP label experiments.

geoip plugin

T2 supports the open source legacy GeoLite2 databases and the newer MaxMind GeoIP2 databases. Note that GeoIP does not provide any more updates for its legacy GeoLite2 DBs since January 2019.

Now move to the geoip plugin and look into it

$ geoip
$ ls
AUTHORS  autogen.sh  ChangeLog  configure.ac  COPYING  doc  GeoLite2-City.mmdb.gz  GeoLiteCity.dat.gz  GeoLiteCityv6.dat.gz  Makefile.am  NEWS  README  scripts  src  t2plconf  tests
$

Note the GeoIP DB: GeoLiteCity.dat.gz and GeoLiteCityv6.dat.gz as well as the MaxMind DB: GeoLite2-City.mmdb.gz. If you move into the scripts folder you see two scripts:

genkml.sh map coordinates to google earth
updatedb.sh update DB

The first maps a flow file to a KML google earth file to produce an earth view with the location of the various IPs. The second updates the DBs. Run t2doc geoip for detailed information.

Now move to the src/ directory and look into the geoip.h file

$ cd src
$ ls
geoip.c  geoip.h  Makefile.am
$ vi geoip.h

Important is the selection of the type of DB. Since the 0.8.4 default is the MaxMind DB. As older systems do not have this library available, we supply also the last public open source one. Today you have to register to get a newer copy. Just get it and replace it with ours under the geoip directory.

If you choose to use your own GeoIP2 DB, such as the enterprise version, look for the GEOIP_DB_FILE constant and replace it with the Enterprise DB name. You may wish to enable then all fields enclosed in // enterprise version. Don’t forget to recompile with t2build geoip.

As the library functions may not be available on older systems, ship one with faster access to the maxmind library. This is the default switch GEOIP_LIB 2. If you want to use the libmaxmind library on your system, set it to 1. 0 switches to the legacy GeoLite DB and library functions. Note, that this data is outdated.

As you can see the classification of source or destination IP can be separately enabled. Any output of country, city, organization, language, etc, can also be enabled or disabled.

Let’s look at the default configuration, being shown below.

...
// user defines
#define GEOIP_LIB        2 // Library to use:
                           //   2: GeoLite2 / Internal libmaxmind (faster)
                           //   1: GeoLite2 / libmaxmind
                           //   0: GeoLite  / geoip (legacy)

#define GEOIP_SRC        1 // Display geo info for the source IP
#define GEOIP_DST        1 // Display geo info for the destination IP

#define GEOIP_CONTINENT  2 // 0: no continent, 1: name (GeoLite2), 2: two letters code
#define GEOIP_COUNTRY    2 // 0: no country, 1: name, 2: two letters code, 3: three letters code (Legacy)
#define GEOIP_CITY       1 // Display the city of the IP
#define GEOIP_POSTCODE   1 // Display the postal code of the IP
#define GEOIP_POSITION   1 // Display the position (latitude, longitude) of the IP
#define GEOIP_METRO_CODE 0 // Display the metro (dma) code of the IP (US only)

#if GEOIP_LIB != 0
#define GEOIP_ACCURACY   1 // Display the accuracy (GeoLite2)
#define GEOIP_TIMEZONE   1 // Display the time zone (GeoLite2)
// enterprise version
#define GEOIP_ORG        0 // Display the organisation
#define GEOIP_ISP        0 // Display the ISP name
#define GEOIP_ASNAME     0 // Display the autonomous systems name
#define GEOIP_USRT       0 // Display the user type
// end enterprise version

#define GEOIP_LANG       "en" // Output language: en, de, fr, es, ja, pt-BR, ru, zh-CN, ...
#define GEOIP_BUFSIZE    64   // buffer size
#else // GEOIP_LIB == 0
#define GEOIP_REGION     1 // 0: no region,  1: name, 2: code
#define GEOIP_AREA_CODE  0 // Display the telephone area code of the IP
#define GEOIP_NETMASK    1 // 0: no netmask, 1: netmask as int (cidr),
                           // 2: netmask as hex (IPv4 only), 3: netmask as IP (IPv4 only)

#define GEOIP_DB_CACHE   2 // 0: read DB from file system (slower, least memory)
                           // 1: index cache (cache frequently used index only)
                           // 2: memory cache (faster, more memory)
#endif // GEOIP_LIB == 0

#define GEOIP_UNKNOWN    "--" // Representation of unknown locations (GeoIP's default)

// GeoIP Status
#define GEOIP_STAT_TRUNC 0x1 // name was truncated... increase GEOIP_BUFSIZE

// plugin defines
#if GEOIP_LIB != 0
#define GEOIP_DB_FILE "GeoLite2-City.mmdb"
#define GEOIP_DB_LEN   sizeof(GEOIP_DB_FILE)
#else // GEOIP_LIB == 0
#define GEOIP_DB_FILE  "GeoLiteCity.dat"
#define GEOIP_DB_FILE6 "GeoLiteCityv6.dat"
#define GEOIP_DB_LEN   sizeof(GEOIP_DB_FILE6)
#endif // GEOIP_LIB == 0
...

So compile the plugin and rerun T2 on the said pcap.

$ t2build geoip
...
$ t2 -r ~/data/faf-exercise.pcap -w ~/results/
...
$

To compare with the basicFlow output, I aggregated the same columns as in the last tutorial.

tawk '{ print $srcIP, wildcard("^srcIp"), $dstIP, wildcard("^dstIp") }' ~/results/faf-exercise_flows.txt | sort -Vru -k1,1 | tcol

srcIP           srcIpContinent  srcIpCountry  srcIpCity    srcIpPostcode  srcIpAccuracy  srcIpLat   srcIpLong    srcIpTimeZone          dstIP          dstIpContinent  dstIpCountry  dstIpCity  dstIpPostcode  dstIpAccuracy  dstIpLat   dstIpLong  dstIpTimeZone
198.189.255.75  NA              US            "Marina"     93933          20             36.684100  -121.788600  "America/Los_Angeles"  192.168.1.104  --              --            "--"       --             0              0.000000   0.000000   ""
192.168.1.105   --              --            "--"         --             0              0.000000   0.000000     ""                     192.168.1.1    --              --            "--"       --             0              0.000000   0.000000   ""
192.168.1.104   --              --            "--"         --             0              0.000000   0.000000     ""                     77.67.44.206   EU              IE            "--"       --             200            53.347200  -6.243900  "Europe/Dublin"
192.168.1.103   --              --            "--"         --             0              0.000000   0.000000     ""                     192.168.1.1    --              --            "--"       --             0              0.000000   0.000000   ""
192.168.1.102   --              --            "--"         --             0              0.000000   0.000000     ""                     192.168.1.1    --              --            "--"       --             0              0.000000   0.000000   ""
192.168.1.1     --              --            "--"         --             0              0.000000   0.000000     ""                     192.168.1.103  --              --            "--"       --             0              0.000000   0.000000   ""
143.166.11.10   NA              US            "--"         --             1000           37.751000  -97.822000   "America/Chicago"      192.168.1.105  --              --            "--"       --             0              0.000000   0.000000   ""
77.67.44.206    EU              IE            "--"         --             200            53.347200  -6.243900    "Europe/Dublin"        192.168.1.104  --              --            "--"       --             0              0.000000   0.000000   ""
63.245.221.11   NA              US            "Fairfield"  94533          100            38.267000  -122.044000  "America/Los_Angeles"  192.168.1.104  --              --            "--"       --             0              0.000000   0.000000   ""

Request IP’s from maxmind DB using t2mmdb in T2 format

You probably know mmdblookup, an opensource program supplied by maxmind to read the MMDB. It’s a bit difficult to parse and some features are hidden from the user, such as the -I option which allows you to read IP addresses from a file.

That’s why we wrote t2mmdb. It is initially compiled with the geoip plugin and resides under geoip/utils/t2mmdb, but you can invoke it anywhere you like:

$ t2mmdb -h
Usage:
    t2mmdb [OPTION...] [INPUT...]

Input:
    -               If no input is provided, read from stdin
    -i file         Read IP address(es) from 'file'

Optional arguments:
    -x              Do not display the header
    -f file         Database to use (default: 'GeoLite2-City.mmdb' in the plugin folder)
    -h              Show help options and exit

$

Let’s try the two simplest cases first. By default it reads from commandline and uses the DB copied under the binary plugins directory: .tranalyzer/plugins The output is formated according to tranalyzer subnet file format. So either supply directly an IP

$ t2mmdb 8.8.8.8
#	5	01032020
# IPCIDR	IPrange	CtryWhoCode	ASN	Accuracy	Latitude	Longitude	Country	County	City	Org
8.8.0.0/17	8.8.0.0-8.8.127.255	0x00000000	-	1000	37.751000	-97.822000	us	-	-	-	-	-	-
$

or put it in the interactive mode:

$ t2mmdb
#	5	01032020
# IPCIDR	IPrange	CtryWhoCode	ASN	Accuracy	Latitude	Longitude	Country	County	City	Org
63.245.221.11
63.245.220.0/23	63.245.220.0-63.245.221.255	0x00000000	0	100	38.267000	-122.044000	us	-	Fairfield	-
192.168.1.104
8.8.8.8
8.8.0.0/17	8.8.0.0-8.8.127.255	0x00000000	0	1000	37.751000	-97.822000	us	-	-	-
^C
$

So you see, the maxmind does not have an opinion on local or corporate addresses. If you loaded the enterprise version, which we do not have, you would see City and Org entries, if you did not disable it.

If you want to load a different Maxmind DB, use the -f option and provide the full path to it:

$ t2mmdb -f ~/.tranalyzer/plugins/GeoLite2-City.mmdb
#       5       01032020
# IPCIDR        IPrange CtryWhoCode     ASN     Accuracy        Latitude        Longitude       Country County  City    Org
63.245.221.11
63.245.220.0/23 63.245.220.0-63.245.221.255     0x00000000      0       100     38.267000       -122.044000     us      -       Fairfield       -
^C
$

Now prepare a file with some IP’s:

$ vi nudel.txt
3.4.5.6
6.5.78.6
23.54.67.7
8.0.0.0
31.121.10.80
2001:1260::4544:434:fe34:45
2002:1260::4544:434:fe34:45
1.0.128.0
1.51.32.0
130.75.0.0
28.0.0.0
29.0.0.0
30.0.0.0
:wq
$ t2mmdb -i nudel.txt
#               5                                                    01032020
# IPCIDR        IPrange                                              CtryWhoCode  ASN  Accuracy  Latitude   Longitude    Country  County  City         Org
3.4.0.0/16      3.4.0.0-3.4.255.255                                  0x00000000   0    1000      47.634800  -122.345100  us       -       Seattle      -
6.0.0.0/13      6.0.0.0-6.7.255.255                                  0x00000000   0    1000      37.751000  -97.822000   us       -       -            -
23.54.64.0/19   23.54.64.0-23.54.95.255                              0x00000000   0    1000      37.751000  -97.822000   us       -       -            -
8.0.0.0/22      8.0.0.0-8.0.3.255                                    0x00000000   0    1000      37.751000  -97.822000   us       -       -            -
31.121.8.0/21   31.121.8.0-31.121.15.255                             0x00000000   0    200       51.922200  -2.535000    gb       -       Ross on Wye  -
2001:1260::/32  2001:1260::-2001:1260:ffff:ffff:ffff:ffff:ffff:ffff  0x00000000   0    100       23.000000  -102.000000  mx       -       -            -
2002:1260::/30  2002:1260::-2002:1263:ffff:ffff:ffff:ffff:ffff:ffff  0x00000000   0    1000      37.751000  -97.822000   us       -       -            -
1.0.128.0/23    1.0.128.0-1.0.129.255                                0x00000000   0    500       14.887900  100.404600   th       -       Sing Buri    -
1.51.32.0/19    1.51.32.0-1.51.63.255                                0x00000000   0    50        34.772500  113.726600   cn       -       -            -
130.75.0.0/16   130.75.0.0-130.75.255.255                            0x00000000   0    200       52.385100  9.743100     de       -       Hanover      -
28.0.0.0/8      28.0.0.0-28.255.255.255                              0x00000000   0    1000      37.751000  -97.822000   us       -       -            -
29.0.0.0/12     29.0.0.0-29.15.255.255                               0x00000000   0    1000      37.751000  -97.822000   us       -       -            -
30.0.0.0/12     30.0.0.0-30.15.255.255                               0x00000000   0    1000      37.751000  -97.822000   us       -       -            -
$

Transform maxmind DB into t2 subnet format

If you had all IP ranges for IPv4/6 could you build your own subnet file? Yes you can. These ranges are available on the internet, this wonderful thing.

Just use the script t2mmdba. It generates all necessary files which can be copied under scripts/subnet.

$ geoip; cd utils
$ ./t2mmdba
'-i' option is required
Try 't2mmdba --help' for more information.
$ ./t2mmdba -h
Usage:
    t2mmdba [OPTION...] -i <prefix>

Required arguments:
    -i      Prefix for IP file to use

Optional arguments:
    -f      Database to use
    -h      display this help, then exit
$

As a test, separate IPv4 and IPv6 adresses into different files. It is important to choose a name in such a way that it ends with “4|6.txt”, then execute t2mmdba

$ awk -F"\t" '!/:/{print}' wurst.txt > wurst4.txt
$ awk -F"\t" '/:/{print}' wurst.txt > wurst6.txt
$ ./t2mmdba -i ./wurst
Merge with subnetsB[46].txt into subnets[46].txt
$

Have a look into the directory, you see the generated subnet and who files for T2 core and t2whois.

$ ls
subnets4.txt  subnets6.txt  t2mmdb  t2mmdba  whoCntryCds.txt  whoOrgCds.txt  wurst4.txt  wurst6.txt  wurst.txt
$

Open the subnets4.txt. Note that the organization is missing the public address space as the open source version does not contain this information.

$ cat subnets4.txt
#	5	01042020
# IPCIDR	IPrange	CtryWhoCode	ASN	Uncert	Latitude	Longitude	Country	County	City	Org
# Begin IPv4 private address space
10.0.0.0/8	10.0.0.0-10.255.255.255	0x0300000d	0	-1.0	666.000000	666.000000	04	-	-	Private network
127.0.0.0/8	127.0.0.0-127.255.255.255	0x0100000a	0	-1.0	666.000000	666.000000	01	-	-	Loopback
100.64.0.0/10	100.64.0.0-100.127.255.255	0x0700000f	0	-1.0	666.000000	666.000000	20	-	-	Shared address space
169.254.0.0/16	169.254.0.0-169.254.255.255	0x02000009	0	-1.0	666.000000	666.000000	02	-	-	Link-local
172.16.0.0/12	172.16.0.0-172.31.255.255	0x0380000d	0	-1.0	666.000000	666.000000	05	-	-	Private network
192.0.0.0/24	192.0.0.0-192.0.0.255	0x0400000d	0	-1.0	666.000000	666.000000	06	-	-	Private network
192.0.2.0/24	192.0.2.0-192.0.2.255	0x07800011	0	-1.0	666.000000	666.000000	21	-	-	TEST-NET-1
192.88.99.0/24	192.88.99.0-192.88.99.255	0x0b000008	0	-1.0	666.000000	666.000000	60	-	-	IPv6 to IPv4 relay
192.168.0.0/16	192.168.0.0-192.168.255.255	0x0480000d	0	-1.0	666.000000	666.000000	07	-	-	Private network
198.18.0.0/15	198.18.0.0-198.19.255.255	0x0500000d	0	-1.0	666.000000	666.000000	08	-	-	Private network
198.51.100.0/24	198.51.100.0-198.51.100.255	0x08000012	0	-1.0	666.000000	666.000000	22	-	-	TEST-NET-2
203.0.113.0/24	203.0.113.0-203.0.113.255	0x08800013	0	-1.0	666.000000	666.000000	23	-	-	TEST-NET-3
224.0.0.0/4	224.0.0.0-239.255.255.255	0x0600000b	0	-1.0	666.000000	666.000000	10	-	-	Multicast
240.0.0.0/4	240.0.0.0-255.255.255.254	0x0900000e	0	-1.0	666.000000	666.000000	24	-	-	Reserved
255.255.255.255/32	255.255.255.255-255.255.255.255	0x06800002	0	-1.0	666.000000	666.000000	11	-	-	Broadcast
# End IPv4 private address space
1.0.128.0/23	1.0.128.0-1.0.129.255	0x7c000000	0	500	14.887900	100.404600	th	-	Sing Buri	-
1.51.32.0/19	1.51.32.0-1.51.63.255	0x26000000	0	50	34.772500	113.726600	cn	-	-	-
3.4.0.0/16	3.4.0.0-3.4.255.255	0x84800000	0	1000	47.634800	-122.345100	us	-	Seattle	-
6.0.0.0/13	6.0.0.0-6.7.255.255	0x84800000	0	1000	37.751000	-97.822000	us	-	-	-
8.0.0.0/22	8.0.0.0-8.0.3.255	0x84800000	0	1000	37.751000	-97.822000	us	-	-	-
23.54.64.0/19	23.54.64.0-23.54.95.255	0x84800000	0	1000	37.751000	-97.822000	us	-	-	-
28.0.0.0/8	28.0.0.0-28.255.255.255	0x84800000	0	1000	37.751000	-97.822000	us	-	-	-
29.0.0.0/12	29.0.0.0-29.15.255.255	0x84800000	0	1000	37.751000	-97.822000	us	-	-	-
30.0.0.0/12	30.0.0.0-30.15.255.255	0x84800000	0	1000	37.751000	-97.822000	us	-	-	-
31.121.8.0/21	31.121.8.0-31.121.15.255	0x35000000	0	200	51.922200	-2.535000	gb	-	Ross on Wye	-
130.75.0.0/16	130.75.0.0-130.75.255.255	0x2a800000	0	200	52.385100	9.743100	de	-	Hanover	-
$

and the subnets6.txt, ready to be copied into the subnet folder.

$ cat subnets6.txt
#	5	01042020
# IPCIDR	IPrange	CtryWhoCode	ASN	Uncert	Latitude	Longitude	Country	County	City	Org
# Begin IPv6 private address space
::1/128	::1-::1	0x0100000a	0	-1.0	666.000000	666.000000	01	-	-	Loopback
::ffff:0:0/96	::ffff:0:0-::ffff:ffff:ffff	0x0b800006	0	-1.0	666.000000	666.000000	61	-	-	IPv4 mapped
::ffff:0:0:0/96	::ffff:0:0:0-::ffff:0:ffff:ffff	0x0c000007	0	-1.0	666.000000	666.000000	62	-	-	IPv4 translated
64:ff9b::/96	64:ff9b::-64:ff9b::ffff:ffff	0x0c800005	0	-1.0	666.000000	666.000000	63	-	-	IPv4/6 translation
100::/64	100::-100::ffff:ffff:ffff:ffff	0x09800003	0	-1.0	666.000000	666.000000	25	-	-	Discard prefix
2001::/32	2001::-2001::ffff:ffff:ffff:ffff:ffff:ffff	0x0d000010	0	-1.0	666.000000	666.000000	64	-	-	Teredo
2001:20::/28	2001:20::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff	0x0a00000c	0	-1.0	666.000000	666.000000	26	-	-	ORCHIDv2
2001:db8::/32	2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff	0x0a800004	0	-1.0	666.000000	666.000000	27	-	-	doc and example source
2002::/16	2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff	0x0d800001	0	-1.0	666.000000	666.00000	65	-	-	6to4 (deprecated)
fc00::/7	fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff	0x02800014	0	-1.0	666.000000	666.000000	03	-	-	Unique local
fe80::/10	fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff	0x02000009	0	-1.0	666.000000	666.000000	02	-	-	Link-local
ff00::/8	ff00::-ffff:ffff:ffff:ffff:fff:ffff:ffff:ffff	0x0600000b	0	-1.0	666.000000	666.000000	10	-	-	Multicast
# End IPv6 private address space
2001:1260::/32	2001:1260::-2001:1260:ffff:ffff:ffff:ffff:ffff:ffff	0x5d000000	0	100	23.000000	-102.000000	mx	-	-	-
2002:1260::/30	2002:1260::-2002:1263:ffff:ffff:ffff:ffff:ffff:ffff	0x84800000	0	1000	37.751000	-97.822000	us	-	-	-
2003:200::/23	2003:200::-2003:3ff:ffff:ffff:ffff:ffff:ffff:ffff	0x2a800000	0	100	51.000000	9.000000	de	-	-	-
$

But mind that you have to bzip2 them first in order to make them work with T2, see subnet your own

If you purchased an enterprise DB, copy the address range from the default T2 subnet files and generate a new one.

$ awk -F"\t" ' !/^#/ { split($1,A,"/"); print A[1]}' ~/tranalyzer2/utils/subnet/subnets4.txt > wurst4.txt
$ awk -F"\t" ' !/^#/ { split($1,A,"/"); print A[1]}' ~/tranalyzer2/utils/subnet/subnets6.txt > wurst6.txt
$ ./t2mmdba -f enterpriseDB -i ~/Downloads/libmaxminddb-master/bin/wurst
Merge with subnetsB[46].txt into subnets[46].txt
$

Compare them with the ones of the anteater. You will find some differences, as we conduct our own research. If you like to join the effort, please contact the Anteater

Now try it with the whole address space, then you end up with 10^6 uniq entries.

Change the output type to maxmind

If you want to see more, look at the config:

$ cd src
$ cat t2mmdb.h
...
// user defines
#define T2MMDB_SUBNET     1 // 0: IP results , 1: Create IP range T2 subnet format

#define T2MMDB_CONTINENT  1 // 0: no continent, 1: name (GeoLite2), 2: two letters code
#define T2MMDB_COUNTRY    2 // 0: no country, 1: name, 2: two letters code, 3: three letters code (Legacy)
#define T2MMDB_CITY       1 // Dsplay the city of the IP
#define T2MMDB_POSTCODE   1 // Dsplay the postal code of the IP
#define T2MMDB_POSITION   1 // Dsplay the position (latitude, longitude) of the IP
#define T2MMDB_METRO_CODE 1 // Dsplay the metro (dma) code of the IP (US only)

#define T2MMDB_ACCURACY   1 // Display the accuracy (GeoLite2)
#define T2MMDB_TIMEZONE   1 // Display the time zone (GeoLite2)

// enterprise version
#define T2MMDB_ORG        1 // Display the organisation
#define T2MMDB_ISP        1 // Display the ISP name
#define T2MMDB_DOMAIN     1 // Display the domain name
#define T2MMDB_ASNAME     1 // Display the autonomous systems name
#define T2MMDB_USRT       1 // Display the user type
// end enterprise version

#define T2MMDB_LANG       "en" // Output language: en, de, fr, es, ja, pt-BR, ru, zh-CN, ...
#define T2MMDB_BUFSIZE    64   // buffer size

#define T2MMDB_UNKNOWN    "-" // Representation of unknown locations (GeoIP's default)

// DB to be loaded
#define T2MMDB_DB_FILE    "GeoLite2-City.mmdb"
...
$

T2MMDB_SUBNET defines the format of the output. Default is T2 format. If you want to see the whole maxmind output, set it to 0. As t2mmdb is independent of the geoip plugin, t2conf does not work here. You need to edit the file above, change the values in the defines and recompile with make. So move one directory back and invoke make and rerun the previous t2mmdb command:

$ cd ..
$ make
gcc -pipe -Wall -Wextra -Wundef -std=gnu99 -MMD -MP -I../../src -I../../../../tranalyzer2/src -I../../../../utils  -D_GNU_SOURCE -I../../src/MMDB -O3   -c -o src/t2mmdb.o src/t2mmdb.c
gcc -o t2mmdb src/t2mmdb.o ../../../../utils/t2utils.o -lm -L../../src/MMDB ../../src/MMDB/.libs/libmaxminddb.a
$ ./t2mmdb -i nudel.txt
# IP                         Mask  MetroCode  TimeZone             ContCode       PostalCode  ASN  Accuracy  Latitude   Longitude    Country  City         Org  ISP  ASNname  UserType  Domain
3.4.5.6                      16    819        America/Los_Angeles  North America  98109       0    1000      47.634800  -122.345100  US       Seattle      -    -    -        -         -
6.5.78.6                     13    0          America/Chicago      North America  -           0    1000      37.751000  -97.822000   US       -            -    -    -        -         -
23.54.67.7                   19    0          America/Chicago      North America  -           0    1000      37.751000  -97.822000   US       -            -    -    -        -         -
8.0.0.0                      22    0          America/Chicago      North America  -           0    1000      37.751000  -97.822000   US       -            -    -    -        -         -
31.121.10.80                 21    0          Europe/London        Europe         HR9         0    200       51.922200  -2.535000    GB       Ross on Wye  -    -    -        -         -
2001:1260::4544:434:fe34:45  32    0          America/Mexico_City  North America  -           0    100       23.000000  -102.000000  MX       -            -    -    -        -         -
2002:1260::4544:434:fe34:45  30    0          America/Chicago      North America  -           0    1000      37.751000  -97.822000   US       -            -    -    -        -         -
1.0.128.0                    23    0          Asia/Bangkok         Asia           16000       0    500       14.887900  100.404600   TH       Sing Buri    -    -    -        -         -
1.51.32.0                    19    0          Asia/Shanghai        Asia           -           0    50        34.772500  113.726600   CN       -            -    -    -        -         -
130.75.0.0                   16    0          Europe/Berlin        Europe         30161       0    200       52.385100  9.743100     DE       Hanover      -    -    -        -         -
28.0.0.0                     8     0          America/Chicago      North America  -           0    1000      37.751000  -97.822000   US       -            -    -    -        -         -
29.0.0.0                     12    0          America/Chicago      North America  -           0    1000      37.751000  -97.822000   US       -            -    -    -        -         -
30.0.0.0                     12    0          America/Chicago      North America  -           0    1000      37.751000  -97.822000   US       -            -    -    -        -         -
$

To see the content of the empty columns, acquire the enterprise DB and use the -f option.

Don’t forget to reset to T2MMDB_SUBNET 1 and recompile with make, or recompile geoip, as it recompiles t2mmdb as well.

Have fun!