Today we are going to activate and use a very interesting feature of Wireshark: the geolocation of public IP addresses via the MaxMind GeoLite2 databases.
This feature will make it possible to display information on public IP addresses, in order to know the origin or destination of a flow in Wireshark. Here is the information you can get:
- ASN: the Autonomous System number
- The country
- The city
Before continuing, here is the list of previous articles in this series on Wireshark:
II. Setting up databases
Before downloading the MaxMind databases, you must validate that our version of Wireshark is compatible with this feature. This feature is available since version 2.6 of Wireshark.
To check Wireshark compatibility, launch the application, go to the “Aide” and then click “About Wireshark”.
A new window opens, you need to find this “with MaxMind DB resolver” otherwise you will need to download a more recent version of Wireshark.
B. Database Recovery
To recover MaxMind databases, you must create an account on their site (database recovery is free).
Here is the link : MaxMind – Download GeoIP Databases
Once authenticated, you must recover the following three files:
- GeoLite2 ASN
- GeoLite2 City
- GeoLite2 Country
To download a database, it is absolutely necessary to take the format “GeoIP2 Binary (.mmdb)(APIs)” and then click on “Download GZIP”.
Repeat this operation for the files “GeoLite2 City” et “GeoLite2 Country”.
Once the files are downloaded, you should have three files in tar.gz format like these:
NB: the date in the file name corresponds to the database update date.
Once the downloads are done, I recommend that you copy the three files to a dedicated directory.
The last step before linking the databases to Wireshark is to unzip the files with 7-Zip (or equivalent software that supports the tar.gz format). This step is to be done twice per file.
After the first unzip, you should have three new files in the format “.tar”.
Then you have to repeat this operation on the files in “.tar”. In each folder on your machine there is a file with the extension “.mmdb”. Here is an example :
Keep aside all files in “.mmdb” and you can delete all the other files, as these are just the source archives.
You should end up with the following three files “GeoLite2-ASN.mmdb”, “GeoLite2-City.mmdb” et “GeoLite2-Country.mmdb”.
We can move on to the next step which is to integrate these databases into Wireshark.
C. Integration of Databases in Wireshark
The integration of databases in Wireshark is very simple. First, we will specify the directory where the files are stored.
Open Wireshark and go to the menu “Edit” then “Preferences”.
A new window opens, click on “Name Resolution”. Then click on “Edit…” at the level of “MaxMind database directories”.
Another window opens, this time giving the path to the database directory.
Click on the “+” and then click “Browse” to specify your directory. Finally, click on “OK”.
Click again on “OK” in the preferences window.
That’s it, the GeoIP configuration is complete!
III. Using GeoIP functionality
A. Les Endpoints
To quickly see the location of public IP addresses in Wireshark, go to the “Statistics” and then click “Endpoints”.
The window of “Endpoints” appears, click “IPv4”.
As you can see, four new columns have appeared:
- Country : locates the country of an IP address
- City : locates the city of an IP address
- AS : Allows you to specify in which AS an IP address is located
- AS Organisation : allows you to specify which company this IP belongs to
NB: you can also find GeoIP information on the IPv6 tab.
B. The GeoIP map
In the window of “Endpoints”, there is a new icon at the bottom left titled “carte”. Click on “Carte” and then click “Open in browser”.
NB: Wireshark will use your default browser.
Your browser opens with the map based on OpenStreetMap, and we see the number of IP addresses per location.
You can zoom by double-clicking on a value on the map. Then, if you click on an IP address, you can display the information found in the columns on the endpoints.
C. GeoIP and packet detail
GeoIP information is also located in the detail of the packets in the part “Internet Protocol”. To test, click a packet containing a public IP address within your capture. Then go to the package detail panel, and expand the header “Internet Protocol Version 4” then scroll down the part “GeoIP”.
NB: The GeoIP part may either be indicated as source or destination.
With the implementation of the GeoIP database, we also find the information in the Internet Protocol part (V4 or V6).
It contains basic information such as the country, the city, the AS and the company to which the IP address belongs. In addition, we have “GPS coordinates” style information such as the longitude and latitude of the IP address.
D. Display filters
It is possible to filter a network trace via GeoIP information, here are the interesting filters to keep carefully:
- Filter on a source or destination country: ip.geoip.country == “United States”
- Filter on source country: ip.geoip.src_country == “United States”
- Filter by destination country: ip.geoip.dst_country == “United States”
- Filter on the code of a country in source or destination: ip.geoip.country_iso == “US”
- Filter on an organization (a company): ip.geoip.org == “GOOGLE”
NB: remember to consult our previous article on display filters in Wireshark in order to create your filters easily.
You can also add a column in the list of packages with GeoIP information.
Let’s take an example: add the AS numbers in a column.
You have to go back to the detail of the packet at the header level “Internet Protocol version 4”, roll out part ““GeoIP” and then right-click and click “Apply in Column”.
NB: remember to consult our previous article on customizing Wireshark to help you manage your columns.
IV. My feedback
The IP Geolocation feature was useful to me as part of a cyberattack attempt to identify which country this attempt came from, as part of a post-mortem analysis. Personally, it allowed me to withdraw the sending of statistics from an application, to Brazil.
This article on Wireshark and GeoIP functionality is over! Thanks to this feature, you have additional information that is very practical for analyzing packets, and above all valuable in the context of analyzes related to a cybersecurity incident.
The next article will talk about decrypting live HTTPS streams with Wireshark.
#enable #geolocation #addresses