Discover Where Your Network Traffic Comes From With Wireshark and GeoIP

Cisco, Cloudera, Featured, Professional Development, Project Management, Routing & Switching, Technology, Training in Business

Would you like to see where the traffic is coming from that is getting onto your network? How about which autonomous systems or networks are trying to talk to your network? Would you like to be able to filter any of those fields? Wireshark lets you do just that for both IPv4 and IPv6 addresses. All you have to do is download the databases from MaxMind and configure Wireshark to use them. Here are the steps:

First you’ll need to download the databases. MaxMind distributes these for free and gets their information from ARIN. Be sure to download from the binary/gzip column, highlighted in red below. Wireshark cannot read csv files.

downloads
Once the files are downloaded, you’ll need to unzip them. Windows can’t unzip a gzip file natively, so you will have to use something like 7zip, Peazip or some other utility. Save the files in a logical place such as c:usersadminwiresharkgeoip. You’ll want to update the files monthly; as that is how often MaxMind updates the database. The IPv4 space may be pretty stable, but the IPv6 space changes often.

Now you’ll change the configuration of Wireshark to use the GeoIP data. Go to Edit | Preferences | Name Resolution | GeoIP Database Directories | Edit. Click New, then the dropdown for GeoIP Database Directory: and select Other. In the Location bar, type in the complete path to where your files are, c:usersadminwiresharkgeoip for example.

Capture packets where at least one address is from the outside world, and you should now be able to see where the addresses are registered. Each of new fields can be filtered so you can see where traffic is coming into your network from. My favorite is ip.geoip.src_country != “United States.” This filters in all traffic that came from somewhere besides the United States.

header

Notice the Latitude and Longitude are listed. They map to the city in the record. They also can be used for a map in statistics. Go to Statistics | Endpoints |IP(or IPv6) and select Map. The map is perfect for documentation, or to show to management when proving the latest security flaw is based any given country.

map

Adding GeoIP databases to Wireshark is just one of the many things you can do to make Wireshark more powerful. Not bad, considering it is an open source tool. I guess that is why it is one of the most popular at more than 500,000 downloads per month.

Related Course
Troubleshooting TCP/IP Networks with Wireshark

Please support our Sponsors here :