Geolocation MaxMind DB: geoip, t2mmdb
Contents
Introduction
The geoip plugin is a wrapper for the open source geolocation GeoIP/MaxMind DB.
It supplies standard geolocation output in the flow file. In order to support a faster
interface for quick IPv4/6 geolocation queries independent of T2 the t2mmdb
program is available since the 0.8.8 version.
In the next chapters we will discuss the geoip plugin and the operation of the
t2mmdb program.
Preparation
First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins:
t2build -e -y
Are you sure you want to empty the plugin folder '/home/wurst/.tranalyzer/plugins' (y/N)? yes
Plugin folder emptied
Then compile the core (tranalyzer2) and the following plugins:
t2build -f tranalyzer2 basicFlow tcpStates geoip txtSink
...
BUILD SUCCESSFUL
If you did not create a separate data and results directory yet, please do it now in another bash window, that facilitates your workflow:
mkdir ~/data ~/results
The anonymized sample PCAP used in this tutorial can be downloaded here: faf-exercise.pcap.
Please save it in your ~/data folder.
Now you are all set for T2 IP label experiments.
geoip plugin
T2 supports the open source legacy GeoLite2 databases and the newer MaxMind GeoIP2 databases. Note that GeoIP does not provide any more updates for its legacy GeoLite2 DBs since January 2019.
Now move to the geoip plugin and look into it
geoip
ls
AUTHORS autogen.sh ChangeLog configure.ac COPYING doc GeoLite2-City.mmdb.gz GeoLiteCity.dat.gz GeoLiteCityv6.dat.gz Makefile.am NEWS README scripts src t2plconf tests
Note the GeoIP DB: GeoLiteCity.dat.gz and GeoLiteCityv6.dat.gz as well as the MaxMind DB: GeoLite2-City.mmdb.gz. If you move into the scripts folder you see two scripts:
genkml.sh |
map coordinates to google earth |
updatedb.sh |
update DB |
The first maps a flow file to a KML google earth file to produce an earth view with the location of the various IPs.
The second updates the DBs. Run t2doc geoip for detailed information.
Now move to the src/ directory and look into the geoip.h file
ls src
geoip.c geoip.h Makefile.am MMDB
vi src/geoip.h
Important is the selection of the DB type. Since the 0.8.4 default is the MaxMind DB. As older systems do not have this library available, we supply also the last public open source one. Today you have to register to get a newer copy. Just get it and replace it with ours under the geoip directory.
If you choose to use your own GeoIP2 DB, such as the enterprise version, look for the GEOIP_DB_FILE
constant and replace it with the Enterprise DB name. You may wish to enable then
all fields enclosed between // GeoLite2 Enterprise databases only and // End GeoLite2 Enterprise.
Don’t forget to recompile with t2build geoip.
As the library functions may not be available on older systems, ship one with faster
access to the MaxMind library. This is the default switch GEOIP_LIB=2.
If you want to use the libmaxmind library on your system, set it to 1.
0 switches to the legacy GeoLite DB and library functions. Note, that this data is
outdated.
As you can see the classification of source or destination IP can be separately enabled. Any output of country, city, organization, language, etc, can also be enabled or disabled.
Let’s look at the default configuration, being shown below.
...
/* ========================================================================== */
/* ------------------------ USER CONFIGURATION FLAGS ------------------------ */
/* ========================================================================== */
#define GEOIP_LIB 2 // Library to use:
// 2: GeoLite2 / Internal libmaxmind (faster)
// 1: GeoLite2 / libmaxmind
// 0: GeoLite / geoip (legacy)
#define GEOIP_SRC 1 // Display geo info for the source IP
#define GEOIP_DST 1 // Display geo info for the destination IP
#define GEOIP_CONTINENT 2 // 0: no continent, 1: name (GeoLite2), 2: two letters code
#define GEOIP_COUNTRY 2 // 0: no country, 1: name, 2: two letters code, 3: three letters code (Legacy)
#define GEOIP_CITY 1 // Display the city of the IP
#define GEOIP_POSTCODE 1 // Display the postal code of the IP
#define GEOIP_POSITION 1 // Display the position (latitude, longitude) of the IP
#define GEOIP_METRO_CODE 0 // Display the metro (dma) code of the IP (US only)
#if GEOIP_LIB != 0
#define GEOIP_ACCURACY 1 // Display the accuracy (GeoLite2)
#define GEOIP_TIMEZONE 1 // Display the time zone (GeoLite2)
// GeoLite2 Enterprise databases only
#define GEOIP_ORG 0 // Display the organization
#define GEOIP_ISP 0 // Display the ISP name
#define GEOIP_ASN 0 // Display the autonomous systems number
#define GEOIP_ASNAME 0 // Display the autonomous systems name
#define GEOIP_CONNT 0 // Display the connection type
#define GEOIP_USRT 0 // Display the user type
// End GeoLite2 Enterprise
#define GEOIP_LANG "en" // Output language: en, de, fr, es, ja, pt-BR, ru, zh-CN, ...
#define GEOIP_BUFSIZE 64 // Buffer size
#else // GEOIP_LIB == 0
#define GEOIP_REGION 1 // 0: no region, 1: name, 2: code
#define GEOIP_AREA_CODE 0 // Display the telephone area code of the IP
#define GEOIP_NETMASK 1 // 0: no netmask, 1: netmask as int (cidr),
// 2: netmask as hex (IPv4 only), 3: netmask as IP (IPv4 only)
#define GEOIP_DB_CACHE 2 // 0: read DB from file system (slower, least memory)
// 1: index cache (cache frequently used index only)
// 2: memory cache (faster, more memory)
i#endif // GEOIP_LIB == 0
/* +++++++++++++++++++++ ENV / RUNTIME - conf Variables +++++++++++++++++++++ */
#define GEOIP_UNKNOWN "--" // Representation of unknown locations (GeoIP's default)
// Name of the database(s) to use
#define GEOIP_DB_FILE "GeoLite2-City.mmdb" // Combined IPv4 and IPv6 database (require GEOIP_LIB > 0)
#define GEOIP_DB_FILE4 "GeoLiteCity.dat" // IPv4 database (require GEOIP_LIB == 0)
#define GEOIP_DB_FILE6 "GeoLiteCityv6.dat" // IPv6 database (require GEOIP_LIB == 0)
/* ========================================================================== */
/* ------------------------- DO NOT EDIT BELOW HERE ------------------------- */
/* ========================================================================== */
...Now run T2 on the said pcap.
t2 -r ~/data/faf-exercise.pcap -w ~/results/
To compare with the basicFlow output, I aggregated the same columns as in the last tutorial.
tawk '{ print $srcIP, wildcard("^srcIp"), $dstIP, wildcard("^dstIp") }' ~/results/faf-exercise_flows.txt | sort -Vru -k1,1 | tcol
srcIP srcIpContinent srcIpCountry srcIpCity srcIpPostcode srcIpAccuracy srcIpLat srcIpLong srcIpTimeZone dstIP dstIpContinent dstIpCountry dstIpCity dstIpPostcode dstIpAccuracy dstIpLat dstIpLong dstIpTimeZone
198.189.255.75 NA US "Marina" 93933 20 36.684100 -121.788600 "America/Los_Angeles" 192.168.1.104 -- -- "--" -- 0 0.000000 0.000000 ""
192.168.1.105 -- -- "--" -- 0 0.000000 0.000000 "" 192.168.1.1 -- -- "--" -- 0 0.000000 0.000000 ""
192.168.1.104 -- -- "--" -- 0 0.000000 0.000000 "" 77.67.44.206 EU IE "--" -- 200 53.347200 -6.243900 "Europe/Dublin"
192.168.1.103 -- -- "--" -- 0 0.000000 0.000000 "" 192.168.1.1 -- -- "--" -- 0 0.000000 0.000000 ""
192.168.1.102 -- -- "--" -- 0 0.000000 0.000000 "" 192.168.1.1 -- -- "--" -- 0 0.000000 0.000000 ""
192.168.1.1 -- -- "--" -- 0 0.000000 0.000000 "" 192.168.1.103 -- -- "--" -- 0 0.000000 0.000000 ""
143.166.11.10 NA US "--" -- 1000 37.751000 -97.822000 "America/Chicago" 192.168.1.105 -- -- "--" -- 0 0.000000 0.000000 ""
77.67.44.206 EU IE "--" -- 200 53.347200 -6.243900 "Europe/Dublin" 192.168.1.104 -- -- "--" -- 0 0.000000 0.000000 ""
63.245.221.11 NA US "Fairfield" 94533 100 38.267000 -122.044000 "America/Los_Angeles" 192.168.1.104 -- -- "--" -- 0 0.000000 0.000000 ""Request IP’s from MaxMind DB using t2mmdb in T2 format
You probably know mmdblookup, an open-source program supplied by MaxMind
to read the MMDB. It’s a bit difficult to parse and some features are hidden
from the user, such as the -I option which allows you to read IP addresses
from a file.
That’s why we wrote t2mmdb. It is initially compiled with the geoip plugin
and resides under geoip/utils/t2mmdb, but you can invoke it anywhere you like:
t2mmdb -h
Usage:
t2mmdb [OPTION...] [INPUT...]
Input:
- If no input is provided, read from stdin
-i file Read IP address(es) from 'file'
Optional arguments:
-x Do not display the header
-f file Database to use (default: 'GeoLite2-City.mmdb' in the plugin folder)
-h Show help options and exitLet’s try the two simplest cases first. By default it reads from command line and uses the DB copied under the binary plugins directory: ~/.tranalyzer/plugins The output is formatted according to Tranalyzer subnet file format. So either supply directly an IP
t2mmdb 8.8.8.8
# 5 01032020
# IPCIDR IPrange CtryWhoCode ASN Accuracy Latitude Longitude Country County City Org
8.8.0.0/17 8.8.0.0-8.8.127.255 0x00000000 - 1000 37.751000 -97.822000 us - - - - - -Or put it in the interactive mode:
t2mmdb
# 5 01032020
# IPCIDR IPrange CtryWhoCode ASN Accuracy Latitude Longitude Country County City Org
63.245.221.11
63.245.220.0/23 63.245.220.0-63.245.221.255 0x00000000 0 100 38.267000 -122.044000 us - Fairfield -
192.168.1.104
8.8.8.8
8.8.0.0/17 8.8.0.0-8.8.127.255 0x00000000 0 1000 37.751000 -97.822000 us - - -
^CSo you see, the MaxMind does not have an opinion on local or corporate addresses. If you loaded the enterprise version, which we do not have, you would see City and Org entries, if you did not disable it.
If you want to load a different MaxMind DB, use the -f option and provide the full path to it:
t2mmdb -f ~/.tranalyzer/plugins/GeoLite2-City.mmdb
# 5 01032020
# IPCIDR IPrange CtryWhoCode ASN Accuracy Latitude Longitude Country County City Org
63.245.221.11
63.245.220.0/23 63.245.220.0-63.245.221.255 0x00000000 0 100 38.267000 -122.044000 us - Fairfield -
^CNow prepare a file with some IPs:
cat nudel.txt
3.4.5.6
6.5.78.6
23.54.67.7
8.0.0.0
31.121.10.80
2001:1260::4544:434:fe34:45
2002:1260::4544:434:fe34:45
1.0.128.0
1.51.32.0
130.75.0.0
28.0.0.0
29.0.0.0
30.0.0.0t2mmdb -i nudel.txt
# 5 01032020
# IPCIDR IPrange CtryWhoCode ASN Accuracy Latitude Longitude Country County City Org
3.4.0.0/16 3.4.0.0-3.4.255.255 0x00000000 0 1000 47.634800 -122.345100 us - Seattle -
6.0.0.0/13 6.0.0.0-6.7.255.255 0x00000000 0 1000 37.751000 -97.822000 us - - -
23.54.64.0/19 23.54.64.0-23.54.95.255 0x00000000 0 1000 37.751000 -97.822000 us - - -
8.0.0.0/22 8.0.0.0-8.0.3.255 0x00000000 0 1000 37.751000 -97.822000 us - - -
31.121.8.0/21 31.121.8.0-31.121.15.255 0x00000000 0 200 51.922200 -2.535000 gb - Ross on Wye -
2001:1260::/32 2001:1260::-2001:1260:ffff:ffff:ffff:ffff:ffff:ffff 0x00000000 0 100 23.000000 -102.000000 mx - - -
2002:1260::/30 2002:1260::-2002:1263:ffff:ffff:ffff:ffff:ffff:ffff 0x00000000 0 1000 37.751000 -97.822000 us - - -
1.0.128.0/23 1.0.128.0-1.0.129.255 0x00000000 0 500 14.887900 100.404600 th - Sing Buri -
1.51.32.0/19 1.51.32.0-1.51.63.255 0x00000000 0 50 34.772500 113.726600 cn - - -
130.75.0.0/16 130.75.0.0-130.75.255.255 0x00000000 0 200 52.385100 9.743100 de - Hanover -
28.0.0.0/8 28.0.0.0-28.255.255.255 0x00000000 0 1000 37.751000 -97.822000 us - - -
29.0.0.0/12 29.0.0.0-29.15.255.255 0x00000000 0 1000 37.751000 -97.822000 us - - -
30.0.0.0/12 30.0.0.0-30.15.255.255 0x00000000 0 1000 37.751000 -97.822000 us - - -Transform MaxMind DB into t2 subnet format
If you had all IP ranges for IPv4/6 could you build your own subnet file? Yes you can. These ranges are available on the internet, this wonderful thing.
Just use the script t2mmdba. It generates all necessary files which can be copied under
scripts/subnet.
geoip
cd utils
./t2mmdba
'-i' option is required
Try 't2mmdba --help' for more information.
./t2mmdba --help
Usage:
t2mmdba [OPTION...] -i <prefix>
Required arguments:
-i Prefix for IP file to use
Optional arguments:
-f Database to use
-h display this help, then exitAs a test, separate IPv4 and IPv6 addresses into different files.
Note that it is important to choose names which end with 4.txt and 6.txt, respectively.
Then, execute t2mmdba
awk -F"\t" '!/:/ { print }' wurst.txt > wurst4.txt
awk -F"\t" '/:/ { print }' wurst.txt > wurst6.txt
./t2mmdba -i ./wurst
Merge with subnetsB[46].txt into subnets[46].txt
Have a look into the directory, you see the generated subnet[46].txt, whoCntryCds.txt and whoOrgCds.txt files for T2 core and t2whois.
subnets4.txt subnets6.txt t2mmdb t2mmdba whoCntryCds.txt whoOrgCds.txt wurst4.txt wurst6.txt wurst.txt
Open the subnets4.txt. Note that the organization is missing the public address space as the open source version does not contain this information.
cat subnets4.txt
# 5 01042020
# IPCIDR IPrange CtryWhoCode ASN Uncert Latitude Longitude Country County City Org
# Begin IPv4 private address space
10.0.0.0/8 10.0.0.0-10.255.255.255 0x0300000d 0 -1.0 666.000000 666.000000 04 - - Private network
127.0.0.0/8 127.0.0.0-127.255.255.255 0x0100000a 0 -1.0 666.000000 666.000000 01 - - Loopback
100.64.0.0/10 100.64.0.0-100.127.255.255 0x0700000f 0 -1.0 666.000000 666.000000 20 - - Shared address space
169.254.0.0/16 169.254.0.0-169.254.255.255 0x02000009 0 -1.0 666.000000 666.000000 02 - - Link-local
172.16.0.0/12 172.16.0.0-172.31.255.255 0x0380000d 0 -1.0 666.000000 666.000000 05 - - Private network
192.0.0.0/24 192.0.0.0-192.0.0.255 0x0400000d 0 -1.0 666.000000 666.000000 06 - - Private network
192.0.2.0/24 192.0.2.0-192.0.2.255 0x07800011 0 -1.0 666.000000 666.000000 21 - - TEST-NET-1
192.88.99.0/24 192.88.99.0-192.88.99.255 0x0b000008 0 -1.0 666.000000 666.000000 60 - - IPv6 to IPv4 relay
192.168.0.0/16 192.168.0.0-192.168.255.255 0x0480000d 0 -1.0 666.000000 666.000000 07 - - Private network
198.18.0.0/15 198.18.0.0-198.19.255.255 0x0500000d 0 -1.0 666.000000 666.000000 08 - - Private network
198.51.100.0/24 198.51.100.0-198.51.100.255 0x08000012 0 -1.0 666.000000 666.000000 22 - - TEST-NET-2
203.0.113.0/24 203.0.113.0-203.0.113.255 0x08800013 0 -1.0 666.000000 666.000000 23 - - TEST-NET-3
224.0.0.0/4 224.0.0.0-239.255.255.255 0x0600000b 0 -1.0 666.000000 666.000000 10 - - Multicast
240.0.0.0/4 240.0.0.0-255.255.255.254 0x0900000e 0 -1.0 666.000000 666.000000 24 - - Reserved
255.255.255.255/32 255.255.255.255-255.255.255.255 0x06800002 0 -1.0 666.000000 666.000000 11 - - Broadcast
# End IPv4 private address space
1.0.128.0/23 1.0.128.0-1.0.129.255 0x7c000000 0 500 14.887900 100.404600 th - Sing Buri -
1.51.32.0/19 1.51.32.0-1.51.63.255 0x26000000 0 50 34.772500 113.726600 cn - - -
3.4.0.0/16 3.4.0.0-3.4.255.255 0x84800000 0 1000 47.634800 -122.345100 us - Seattle -
6.0.0.0/13 6.0.0.0-6.7.255.255 0x84800000 0 1000 37.751000 -97.822000 us - - -
8.0.0.0/22 8.0.0.0-8.0.3.255 0x84800000 0 1000 37.751000 -97.822000 us - - -
23.54.64.0/19 23.54.64.0-23.54.95.255 0x84800000 0 1000 37.751000 -97.822000 us - - -
28.0.0.0/8 28.0.0.0-28.255.255.255 0x84800000 0 1000 37.751000 -97.822000 us - - -
29.0.0.0/12 29.0.0.0-29.15.255.255 0x84800000 0 1000 37.751000 -97.822000 us - - -
30.0.0.0/12 30.0.0.0-30.15.255.255 0x84800000 0 1000 37.751000 -97.822000 us - - -
31.121.8.0/21 31.121.8.0-31.121.15.255 0x35000000 0 200 51.922200 -2.535000 gb - Ross on Wye -
130.75.0.0/16 130.75.0.0-130.75.255.255 0x2a800000 0 200 52.385100 9.743100 de - Hanover -And the subnets6.txt, ready to be copied into the subnet folder.
cat subnets6.txt
# 5 01042020
# IPCIDR IPrange CtryWhoCode ASN Uncert Latitude Longitude Country County City Org
# Begin IPv6 private address space
::1/128 ::1-::1 0x0100000a 0 -1.0 666.000000 666.000000 01 - - Loopback
::ffff:0:0/96 ::ffff:0:0-::ffff:ffff:ffff 0x0b800006 0 -1.0 666.000000 666.000000 61 - - IPv4 mapped
::ffff:0:0:0/96 ::ffff:0:0:0-::ffff:0:ffff:ffff 0x0c000007 0 -1.0 666.000000 666.000000 62 - - IPv4 translated
64:ff9b::/96 64:ff9b::-64:ff9b::ffff:ffff 0x0c800005 0 -1.0 666.000000 666.000000 63 - - IPv4/6 translation
100::/64 100::-100::ffff:ffff:ffff:ffff 0x09800003 0 -1.0 666.000000 666.000000 25 - - Discard prefix
2001::/32 2001::-2001::ffff:ffff:ffff:ffff:ffff:ffff 0x0d000010 0 -1.0 666.000000 666.000000 64 - - Teredo
2001:20::/28 2001:20::-2001:2f:ffff:ffff:ffff:ffff:ffff:ffff 0x0a00000c 0 -1.0 666.000000 666.000000 26 - - ORCHIDv2
2001:db8::/32 2001:db8::-2001:db8:ffff:ffff:ffff:ffff:ffff:ffff 0x0a800004 0 -1.0 666.000000 666.000000 27 - - doc and example source
2002::/16 2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0x0d800001 0 -1.0 666.000000 666.00000 65 - - 6to4 (deprecated)
fc00::/7 fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0x02800014 0 -1.0 666.000000 666.000000 03 - - Unique local
fe80::/10 fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff 0x02000009 0 -1.0 666.000000 666.000000 02 - - Link-local
ff00::/8 ff00::-ffff:ffff:ffff:ffff:fff:ffff:ffff:ffff 0x0600000b 0 -1.0 666.000000 666.000000 10 - - Multicast
# End IPv6 private address space
2001:1260::/32 2001:1260::-2001:1260:ffff:ffff:ffff:ffff:ffff:ffff 0x5d000000 0 100 23.000000 -102.000000 mx - - -
2002:1260::/30 2002:1260::-2002:1263:ffff:ffff:ffff:ffff:ffff:ffff 0x84800000 0 1000 37.751000 -97.822000 us - - -
2003:200::/23 2003:200::-2003:3ff:ffff:ffff:ffff:ffff:ffff:ffff 0x2a800000 0 100 51.000000 9.000000 de - - -But mind that you have to bzip2 them first in order to make them work with T2,
see subnet your own.
If you purchased an enterprise DB, copy the address range from the default T2 subnet files and generate a new one.
awk -F"\t" '!/^#/ { split($1, A, "/"); print A[1] }' ~/tranalyzer2/utils/subnet/subnets4.txt > wurst4.txt
awk -F"\t" '!/^#/ { split($1, A, "/"); print A[1] }' ~/tranalyzer2/utils/subnet/subnets6.txt > wurst6.txt
./t2mmdba -f enterpriseDB -i ~/Downloads/libmaxminddb-master/bin/wurst
Merge with subnetsB[46].txt into subnets[46].txt
Compare them with the ones of the anteater. You will find some differences, as we conduct our own research. If you like to join the effort, please contact the Anteater
Now try it with the whole address space, then you end up with 10^6 unique entries.
Change the output type to MaxMind
If you want to see more, look at the config:
geoip
cd utils/t2mmdb
vi src/t2mmdb.h
// user defines
#define T2MMDB_SUBNET 1 // 0: IP results,
// 1: Create IP range T2 subnet format
...
// DB to be loaded
#define T2MMDB_DB_FILE "GeoLite2-City.mmdb"
...T2MMDB_SUBNET defines the format of the output. Default is T2 format. If you want to see
the whole MaxMind output, set it to 0. As t2mmdb is independent of the geoip plugin,
t2conf does not work here. You need to edit the file above, change the values in the defines
and recompile with make. So move one directory back and invoke make and rerun the
previous t2mmdb command:
make
gcc -pipe -Wall -Wextra -Wundef -std=gnu99 -MMD -MP -I../../src -I../../../../tranalyzer2/src -I../../../../utils -D_GNU_SOURCE -I../../src/MMDB -O3 -c -o src/t2mmdb.o src/t2mmdb.c
gcc -o t2mmdb src/t2mmdb.o ../../../../utils/t2utils.o -lm -L../../src/MMDB ../../src/MMDB/.libs/libmaxminddb.a./t2mmdb -i nudel.txt
# IP Mask MetroCode TimeZone ContCode PostalCode ASN Accuracy Latitude Longitude Country City Org ISP ASNname UserType Domain
3.4.5.6 16 819 America/Los_Angeles North America 98109 0 1000 47.634800 -122.345100 US Seattle - - - - -
6.5.78.6 13 0 America/Chicago North America - 0 1000 37.751000 -97.822000 US - - - - - -
23.54.67.7 19 0 America/Chicago North America - 0 1000 37.751000 -97.822000 US - - - - - -
8.0.0.0 22 0 America/Chicago North America - 0 1000 37.751000 -97.822000 US - - - - - -
31.121.10.80 21 0 Europe/London Europe HR9 0 200 51.922200 -2.535000 GB Ross on Wye - - - - -
2001:1260::4544:434:fe34:45 32 0 America/Mexico_City North America - 0 100 23.000000 -102.000000 MX - - - - - -
2002:1260::4544:434:fe34:45 30 0 America/Chicago North America - 0 1000 37.751000 -97.822000 US - - - - - -
1.0.128.0 23 0 Asia/Bangkok Asia 16000 0 500 14.887900 100.404600 TH Sing Buri - - - - -
1.51.32.0 19 0 Asia/Shanghai Asia - 0 50 34.772500 113.726600 CN - - - - - -
130.75.0.0 16 0 Europe/Berlin Europe 30161 0 200 52.385100 9.743100 DE Hanover - - - - -
28.0.0.0 8 0 America/Chicago North America - 0 1000 37.751000 -97.822000 US - - - - - -
29.0.0.0 12 0 America/Chicago North America - 0 1000 37.751000 -97.822000 US - - - - - -
30.0.0.0 12 0 America/Chicago North America - 0 1000 37.751000 -97.822000 US - - - - - -To see the content of the empty columns, acquire the enterprise DB and compile using the t2build -f geoip option.
Conclusion
Don’t forget to reset T2MMDB_SUBNET=1 and recompile with make, or recompile geoip, as
it recompiles t2mmdb as well.
t2conf geoip -D T2MMDB_SUBNET=1 && t2build geoip
Or use the new command:
t2conf --reset geoip && t2build geoip
Have fun!