Géolocalisation des adresses IP dans Wireshark

enable geolocation of IP addresses

I. Presentation

Today we are going to activate and use a very interesting feature of Wireshark: the geolocation of public IP addresses via the MaxMind GeoLite2 databases.

This feature will make it possible to display information on public IP addresses, in order to know the origin or destination of a flow in Wireshark. Here is the information you can get:

  • ASN: the Autonomous System number
  • The country
  • The city

Before continuing, here is the list of previous articles in this series on Wireshark:

II. Setting up databases

A. Prerequisites

Before downloading the MaxMind databases, you must validate that our version of Wireshark is compatible with this feature. This feature is available since version 2.6 of Wireshark.

To check Wireshark compatibility, launch the application, go to the “Aide” and then click “About Wireshark”.

View Wireshark Version

A new window opens, you need to find this “with MaxMind DB resolver” otherwise you will need to download a more recent version of Wireshark.

Wireshark compatible MaxMind DB Resolver

B. Database Recovery

To recover MaxMind databases, you must create an account on their site (database recovery is free).

Here is the link : MaxMind – Download GeoIP Databases

Once authenticated, you must recover the following three files:

  • GeoLite2 ASN
  • GeoLite2 City
  • GeoLite2 Country

To download a database, it is absolutely necessary to take the format “GeoIP2 Binary (.mmdb)(APIs)” and then click on “Download GZIP”.

Download GeoIP Databases MaxMind

Repeat this operation for the files GeoLite2 City” et “GeoLite2 Country”.

Once the files are downloaded, you should have three files in tar.gz format like these:

GeoIP file downloads for Wireshark

NB: the date in the file name corresponds to the database update date.

Once the downloads are done, I recommend that you copy the three files to a dedicated directory.

The last step before linking the databases to Wireshark is to unzip the files with 7-Zip (or equivalent software that supports the tar.gz format). This step is to be done twice per file.

After the first unzip, you should have three new files in the format “.tar”.

Wireshark - GeoLite tar.gz decompression

Then you have to repeat this operation on the files in “.tar”. In each folder on your machine there is a file with the extension “.mmdb”. Here is an example :

Wireshark - GeoLite - Fichier mmdb

Keep aside all files in “.mmdb” and you can delete all the other files, as these are just the source archives.

You should end up with the following three files “GeoLite2-ASN.mmdb”, “GeoLite2-City.mmdb” et “GeoLite2-Country.mmdb”.

Wireshark - Example mmdb files

We can move on to the next step which is to integrate these databases into Wireshark.

C. Integration of Databases in Wireshark

The integration of databases in Wireshark is very simple. First, we will specify the directory where the files are stored.

Open Wireshark and go to the menu “Edit” then “Preferences”.

Wireshark - Edit Preferences Menu

A new window opens, click on “Name Resolution”. Then click on “Edit…” at the level of “MaxMind database directories”.

Wireshark - MaxMind database directories

Another window opens, this time giving the path to the database directory.

Click on the “+” and then click “Browse” to specify your directory. Finally, click on “OK”.

Wireshark - MaxMind Database Paths

Click again on “OK” in the preferences window.

Wireshark - Preferences Menu

That’s it, the GeoIP configuration is complete!

III. Using GeoIP functionality

A. Les Endpoints

To quickly see the location of public IP addresses in Wireshark, go to the “Statistics” and then click “Endpoints”.

Wireshark - Menu Statistiques Endpoints

The window of “Endpoints” appears, click “IPv4”.

Wireshark - Liste des endpoints

As you can see, four new columns have appeared:

  • Country : locates the country of an IP address
  • City : locates the city of an IP address
  • AS : Allows you to specify in which AS an IP address is located
  • AS Organisation : allows you to specify which company this IP belongs to

NB: you can also find GeoIP information on the IPv6 tab.

B. The GeoIP map

In the window of “Endpoints”, there is a new icon at the bottom left titled “carte”. Click on “Carte” and then click “Open in browser”.

Wireshark - Carte des endpoints GeoIP

NB: Wireshark will use your default browser.

Your browser opens with the map based on OpenStreetMap, and we see the number of IP addresses per location.

Wireshark - Map of public IP addresses

You can zoom by double-clicking on a value on the map. Then, if you click on an IP address, you can display the information found in the columns on the endpoints.

Wireshark - Zoom in on the map of IP addresses

C. GeoIP and packet detail

GeoIP information is also located in the detail of the packets in the part “Internet Protocol”. To test, click a packet containing a public IP address within your capture. Then go to the package detail panel, and expand the header “Internet Protocol Version 4” then scroll down the part “GeoIP”.

NB: The GeoIP part may either be indicated as source or destination.

Wireshark - GeoIP in Package Detail

With the implementation of the GeoIP database, we also find the information in the Internet Protocol part (V4 or V6).

It contains basic information such as the country, the city, the AS and the company to which the IP address belongs. In addition, we have “GPS coordinates” style information such as the longitude and latitude of the IP address.

D. Display filters

It is possible to filter a network trace via GeoIP information, here are the interesting filters to keep carefully:

  • Filter on a source or destination country: ip.geoip.country == “United States”
  • Filter on source country: ip.geoip.src_country == “United States”
  • Filter by destination country: ip.geoip.dst_country == “United States”
  • Filter on the code of a country in source or destination: ip.geoip.country_iso == “US”
  • Filter on an organization (a company): ip.geoip.org == “GOOGLE”

NB: remember to consult our previous article on display filters in Wireshark in order to create your filters easily.

E. Columns

You can also add a column in the list of packages with GeoIP information.

Let’s take an example: add the AS numbers in a column.

You have to go back to the detail of the packet at the header level “Internet Protocol version 4”, roll out part ““GeoIP” and then right-click and click “Apply in Column”.

Wireshark - List of ASes in column

NB: remember to consult our previous article on customizing Wireshark to help you manage your columns.

IV. My feedback

The IP Geolocation feature was useful to me as part of a cyberattack attempt to identify which country this attempt came from, as part of a post-mortem analysis. Personally, it allowed me to withdraw the sending of statistics from an application, to Brazil.

V. Conclusion

This article on Wireshark and GeoIP functionality is over! Thanks to this feature, you have additional information that is very practical for analyzing packets, and above all valuable in the context of analyzes related to a cybersecurity incident.

The next article will talk about decrypting live HTTPS streams with Wireshark.

Administration Réseau,Logiciels,Réseau,wireshark,

#enable #geolocation #addresses

Leave a Comment

Your email address will not be published. Required fields are marked *