From the posts below we can begin to understand why signature identification is so important. We are looking for malware in the packet data itself since any port can be used to send malware and any IP can be spoofed or unwittingly part of a botnet or worm. The packets below are indicative of the "Win32:SQLSlammer" worm attack that has been around for a considerable time. The worm propagates itself by generating random IP addresses. Notice that the first SIP (Source IP) address is either spoofed or "router leakage" : e.g. it comes from RFC1918 "private" (non-internet IPs) subnet: 10.255.255.255. Remember that any of these IP addresses can be either (a) spoofed or (b) botnet victims or (c) unpatched SQL servers so that their ultimate location may not neccessarily tells us anything about 'intent' or 'bad actors'. Note the common signature in these 376 byte packets. The "Win32:SQLSlammer" reeked an extraordinary amount of havoc upon the internet with a very small amount of assembly code. The current Snort rules for this worm look like this:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:12;)
alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:11;)
The packets I captured are below. Note the common ASCII signature
05/11-14:33:07.744419 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
10.13.3.61:1092 -> 192.168.0.12:1434 UDP TTL:113 TOS:0x20 ID:61068 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20 .`.0k...[.....E
0x0010: 01 94 EE 8C 00 00 71 11 8B AE 0A 0D 03 3D C0 A8 ......q......=..
0x0020: 00 0C 04 44 05 9A 01 80 63 09 04 01 01 01 01 01 ...D....c.......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1 ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50 .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D ........ 0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51 .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6 f..x.Q.E.P.E.P..
0x01A0: EB CA ..
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
05/11-14:53:48.630387 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
202.99.11.99:1231 -> 192.168.0.12:1434 UDP TTL:110 TOS:0x80 ID:26925 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 80 .`.0k...[.....E.
0x0010: 01 94 69 2D 00 00 6E 11 4B 31 CA 63 0B 63 C0 A8 ..i-..n.K1.c.c..
0x0020: 00 0C 04 CF 05 9A 01 80 9A 01 04 01 01 01 01 01 ................
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1 ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50 .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D ........ 0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51 .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6 f..x.Q.E.P.E.P..
0x01A0: EB CA
ñ05/11-19:12:48.180440 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
58.20.222.30:1297 -> 192.168.0.12:1434 UDP TTL:114 TOS:0x20 ID:9759 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20 .`.0k...[.....E
0x0010: 01 94 26 1F 00 00 72 11 48 33 3A 14 DE 1E C0 A8 ..&...r.H3:.....
0x0020: 00 0C 05 11 05 9A 01 80 57 53 04 01 01 01 01 01 ........WS......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1 ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50 .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D ........ 0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51 .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6 f..x.Q.E.P.E.P..
0x01A0: EB CA ..
05/11-20:06:49.515800 0:9:5B:0:F3:DA -> 0:60:97:30:6B:C4 type:0x800 len:0x1A2
69.13.200.210:1269 -> 192.168.0.12:1434 UDP TTL:115 TOS:0x20 ID:42723 IpLen:20 DgmLen:404
Len: 376
0x0000: 00 60 97 30 6B C4 00 09 5B 00 F3 DA 08 00 45 20 .`.0k...[.....E
0x0010: 01 94 A6 E3 00 00 73 11 D0 C1 45 0D C8 D2 C0 A8 ......s...E.....
0x0020: 00 0C 04 F5 05 9A 01 80 61 C2 04 01 01 01 01 01 ........a.......
0x0030: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0040: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0050: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0060: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0070: 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 ................
0x0080: 01 01 01 01 01 01 01 01 01 01 01 DC C9 B0 42 EB ..............B.
0x0090: 0E 01 01 01 01 01 01 01 70 AE 42 01 70 AE 42 90 ........p.B.p.B.
0x00A0: 90 90 90 90 90 90 90 68 DC C9 B0 42 B8 01 01 01 .......h...B....
0x00B0: 01 31 C9 B1 18 50 E2 FD 35 01 01 01 05 50 89 E5 .1...P..5....P..
0x00C0: 51 68 2E 64 6C 6C 68 65 6C 33 32 68 6B 65 72 6E Qh.dllhel32hkern
0x00D0: 51 68 6F 75 6E 74 68 69 63 6B 43 68 47 65 74 54 QhounthickChGetT
0x00E0: 66 B9 6C 6C 51 68 33 32 2E 64 68 77 73 32 5F 66 f.llQh32.dhws2_f
0x00F0: B9 65 74 51 68 73 6F 63 6B 66 B9 74 6F 51 68 73 .etQhsockf.toQhs
0x0100: 65 6E 64 BE 18 10 AE 42 8D 45 D4 50 FF 16 50 8D end....B.E.P..P.
0x0110: 45 E0 50 8D 45 F0 50 FF 16 50 BE 10 10 AE 42 8B E.P.E.P..P....B.
0x0120: 1E 8B 03 3D 55 8B EC 51 74 05 BE 1C 10 AE 42 FF ...=U..Qt.....B.
0x0130: 16 FF D0 31 C9 51 51 50 81 F1 03 01 04 9B 81 F1 ...1.QQP........
0x0140: 01 01 01 01 51 8D 45 CC 50 8B 45 C0 50 FF 16 6A ....Q.E.P.E.P..j
0x0150: 11 6A 02 6A 02 FF D0 50 8D 45 C4 50 8B 45 C0 50 .j.j...P.E.P.E.P
0x0160: FF 16 89 C6 09 DB 81 F3 3C 61 D9 FF 8B 45 B4 8D ........ 0x0170: 0C 40 8D 14 88 C1 E2 04 01 C2 C1 E2 08 29 C2 8D .@...........)..
0x0180: 04 90 01 D8 89 45 B4 6A 10 8D 45 B0 50 31 C9 51 .....E.j..E.P1.Q
0x0190: 66 81 F1 78 01 51 8D 45 03 50 8B 45 AC 50 FF D6 f..x.Q.E.P.E.P..
0x01A0: EB CA ..
Notice that Snort gives us a full length reading of the packet by default. This verbosity helps enable robust signature creation and detection. (More on that later.) Since the Win32:SQLSlammer worm propagates itself by generating "random IP addresses", the trace routes below may simply lead back to more victims who have unpatched machines or who are botnet victims. Interestingly, several routers actually respond to my traceroute for the private IP address 10.13.3.61:
# traceroute 10.13.8.61
traceroute to 10.13.8.61 (10.13.8.61), 64 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.405 ms 0.334 ms 0.286 ms
2 * * *
3 68.87.207.113 (68.87.207.113) 11.558 ms 11.113 ms 12.196 ms
4 te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110) 10.639 ms 10.806 ms 15.992 ms
5 te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105) 13.841 ms 15.408 ms 15.311 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
# traceroute 202.99.11.99
traceroute to 202.99.11.99 (202.99.11.99), 64 hops max, 40 byte packets
1 192.168.0.1 (192.168.0.1) 0.496 ms 0.344 ms 0.376 ms
2 * * *
3 68.87.207.113 (68.87.207.113) 11.941 ms 11.272 ms 15.845 ms
4 te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110) 24.681 ms 10.952 ms 11.595 ms
5 te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105) 14.363 ms 19.869 ms 14.247 ms
6 pos-0-3-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.209) 13.914 ms 14.518 ms 14.792 ms
7 pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206) 19.672 ms 18.450 ms 19.496 ms
8 pos-1-14-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.201) 32.156 ms 35.483 ms 31.574 ms
9 pos-0-8-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.78) 33.493 ms 33.305 ms 34.754 ms
10 pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.50) 37.252 ms 37.343 ms 37.79 ms
11 75.149.229.42 (75.149.229.42) 36.697 ms 40.34 ms 36.615 ms
12 219.158.29.221 (219.158.29.221) 241.962 ms 242.456 ms 242.522 ms
13 219.158.5.133 (219.158.5.133) 242.769 ms 243.188 ms 242.885 ms
14 219.158.4.57 (219.158.4.57) 249.602 ms 249.813 ms 249.892 ms
15 202.96.12.30 (202.96.12.30) 261.865 ms 261.656 ms 261.901 ms
16 61.148.156.9 (61.148.156.9) 267.504 ms 266.695 ms 266.543 ms
17 61.148.156.166 (61.148.156.166) 267.896 ms 267.840 ms 272.820 ms
18 202.96.13.138 (202.96.13.138) 273.190 ms 272.447 ms 272.802 ms
19 211.154.209.162 (211.154.209.162) 234.590 ms 239.304 ms 234.552 ms
20 202.96.6.74 (202.96.6.74) 263.857 ms 265.102 ms 263.489 ms
21 Sh-Rtr-2-S3/0.sta.net.cn (202.96.6.130) 246.632 ms 255.336 ms 245.572 ms
22 * * *
traceroute to 58.20.222.30 (58.20.222.30), 64 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 0.352 ms 0.337 ms 0.288 ms
2 * * *
3 68.87.207.113 (68.87.207.113) 8.935 ms 9.63 ms 9.107 ms
4 te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110) 9.516 ms 9.785 ms 9.715 ms
5 te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105) 12.484 ms 12.145 ms 11.947 ms
6 pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.213) 14.90 ms 14.66 ms 12.611 ms
7 pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206) 17.41 ms 16.51 ms 18.15 ms
8 pos-1-15-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.197) 29.443 ms 30.459 ms 29.458 ms
9 pos-0-8-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.78) 31.863 ms 31.426 ms 31.794 ms
10 pos-0-0-0-0-pe01.11greatoaks.ca.ibone.comcast.net (68.86.86.54) 35.808 ms 34.497 ms 35.363 ms
11 75.149.229.42 (75.149.229.42) 34.716 ms 64.27 ms 35.371 ms
12 219.158.29.213 (219.158.29.213) 247.202 ms 245.893 ms 247.260 ms
13 219.158.5.109 (219.158.5.109) 234.699 ms 234.229 ms 233.225 ms
14 219.158.9.102 (219.158.9.102) 239.58 ms 240.322 ms 240.992 ms
15 220.248.160.166 (220.248.160.166) 277.291 ms 275.978 ms 274.375 ms
16 58.20.222.30 (58.20.222.30) 245.299 ms 246.499 ms 245.847 ms
# traceroute -P ICMP 69.13.200.210
traceroute to 69.13.200.210 (69.13.200.210), 64 hops max, 60 byte packets
1 192.168.0.1 (192.168.0.1) 1.198 ms 1.158 ms 1.135 ms
2 * * *
3 68.87.207.113 (68.87.207.113) 8.636 ms 11.743 ms 8.967 ms
4 te-5-3-ur02.ferndale.wa.seattle.comcast.net (68.86.96.110) 9.764 ms 8.822 ms 9.405 ms
5 te-0-9-0-7-ar01.seattle.wa.seattle.comcast.net (68.86.96.105) 12.576 ms 12.828 ms 11.758 ms
6 pos-0-5-0-0-cr01.seattle.wa.ibone.comcast.net (68.86.90.213) 13.794 ms 12.422 ms 13.459 ms
7 pos-0-8-0-0-cr01.portland.or.ibone.comcast.net (68.86.85.206) 17.811 ms 16.782 ms 16.575 ms
8 pos-1-14-0-0-cr01.sacramento.ca.ibone.comcast.net (68.86.85.201) 33.718 ms 28.898 ms 30.359 ms
9 pos-0-9-0-0-cr01.sanjose.ca.ibone.comcast.net (68.86.85.181) 32.74 ms 32.334 ms 33.448 ms
10 er1-tengig3-4.sanjoseequinix.savvis.net (208.173.53.137) 35.790 ms 33.16 ms 32.538 ms
11 * cr1-tenge-0-3-5-0.sanfrancisco.savvis.net (204.70.200.198) 35.756 ms *
12 * * *
13 msr1-tengig0-0-0-0.dallas.savvis.net (204.70.196.202) 80.164 ms 81.798 ms 80.857 ms
14 er1-ge-3-0-6.dallas.savvis.net (204.70.202.61) 78.275 ms 75.309 ms 75.975 ms
15 federal-home-loan.Dallas.savvis.net (208.172.135.2) 76.970 ms 77.282 ms 77.882 ms
16 64.182.192.41 (64.182.192.41) 79.384 ms 79.456 ms 79.130 ms
17 210-200-13-69.cust.propagation.net (69.13.200.210) 76.181 ms 78.84 ms 77.538 ms
# geoiplookup 202.99.11.99 -f /usr/local/share/GeoIP/GeoLiteCity.dat
GeoIP City Edition, Rev 1: CN, 22, Beijing, (null), 39.928902, 116.388298, 0, 0
# geoiplookup 58.20.222.30 -f /usr/local/share/GeoIP/GeoLiteCity.dat
GeoIP City Edition, Rev 1: CN, 11, Changsha, (null), 28.179199, 113.113602, 0, 0
# geoiplookup 69.13.200.210 -f /usr/local/share/GeoIP/GeoLiteCity.dat
GeoIP City Edition, Rev 1: US, TX, Fort Worth, 76112, 32.749199, -97.220497, 623, 817
# traceroute -P ICMP 69.13.200.210
..