Adding a geolocation database to SiLK

Very quickly I’ve decided that having this is a good thing™.. SiLK is great, but if you need to quickly discover where your traffic is coming from being able to do it without an extra lookup step is useful. This step wasn’t covered in the Now we have SiLK, let’s get it set up.. post, as a result you have this post to peruse.

So here’s how to get one. You’ll need to download the legacy GeoIP file for IPv4 and IPv6 from Maxmind. MaxMind are in the process of trying to persuade everyone to use the new GeoIP2 format files, so it’s sometimes a little difficult to find the legacy files. The current download page is here: https://dev.maxmind.com/geoip/legacy/geolite/.

gunzip GeoIP.dat.gz
gunzip GeoIPv6.dat.gz
cat GeoIPv6.dat GeoIP.dat | rwgeoip2ccmap --mode=binary > country_codes.pmap
sudo mv country_codes.pmap /usr/share/silk

You can then use the SiLK commands and filters to extract the country codes of the data you’ve collected. So if you’re looking to see where your data is coming from (or rather, not), then this command consequently is useful.

rwstats --fields=scc --bottom --count=3 input-file
INPUT: 55456 Records for 24 Bins and 55456 Total Records
OUTPUT: Bottom 10 Bins by Records
scc|   Records|  %Records|   cumul_%|
 dk|         1|  0.001803|  0.001803|
 tr|         1|  0.001803|  0.003606|
 pk|         1|  0.001803|  0.005410|

In conclusion, Denmark, Turkey and Pakistan are not great senders of information to the system I’m monitoring. (And it doesn’t matter if these are IPv4 or IPv6 connections).