Map IP Address Locations with Wireshark (Using GeoIP)

wouldn't you like to be able to take all the ips that you see in your pcaps and identify where they're coming from even take wireshark and drop all of those locations on a map this feature within wireshark is super useful especially when we're doing forensics for cyber security but what do we need to do it and how can we configure it let's find out all right so to be able to enable the go ip feature with wireshark first we have to download the databases from max mind and these are the geoip databases so all we

got to do is head out to the website and i have this linked in the description down below out to maxmine.com we do have to set up an account and that will allow us to download the free goip2 databases once you set up that account there's three databases that you're going to download and that's going to be the geolight to country city and autonomous system number databases once you get those downloaded you can put those into a folder somewhere on your system and go ahead and unzip them just to show you what mine looks like

here i have those three databases here in this folder so autonomous system number city and country and i have the databases that are from september 8th 2021. so it's pretty recent at least i can reasonably expect that those ip addresses haven't changed too much oh well he he must be really interested in guip too once we have those databases extracted into a folder on our local system now all we have to do is take wireshark and point wireshark to those databases let's see how okay so first i have to go up to preferences now if

you're on a mac system this is going to be under the wireshark menu and if you're under linux windows you're going to find that under the edit menu edit preferences it'll be down here i'm under mac system so i'm going to go to wireshark preferences once i'm here i come down to name resolution and down at the bottom of name resolution i can go to max mine database directories i'm going to hit edit and this is where i point wireshark to the folder that contains those three databases to do so all i have to do

is say plus so add and then point it to that folder and then i can hit ok i guess my cat's really interested in databases too so now that i have wireshark set up to see those databases now if i can come into any packet coming in from the outside world that has a public ip address what i can do is come down to the detail view and now if i expand ip this is where i can come down to source address only now what i'll see is now i have the source ip so now

i can see where this is coming from from an autonomous system number a country and a city perspective so here i see moscow russia and then i even have latitude longitude coordinates once i have this enabled now i can go up to statistics and i can come down to endpoints this is where this feature within wireshark gets pretty exciting i have country city autonomous system number and down in the lower left i can even come down to map and open in browser so now i can see the locations physically on a map where all of

these ips are coming in from this can be very useful especially when i'm looking at an attack a cyber attack or maybe i'm being enumerated people are scanning my network and i can see where they're coming from in the world now i do have to take this information with a bit of a grain of salt remember that the data is from that fixed date so september 8 2021. so if there's been any changes since then that wouldn't reflect here however that's why i go back to max mine pretty frequently to make sure i have the

latest free databases so i'm going to close that and go back to my packets so what i can do now is i can use the information from guip and i can use it to set filters for specific traffic patterns so for example if i wanted to see all traffic coming to and from moscow just because that's the packet that i happen to be on i'm going to come up here i'm going to come up to prepare as filter selected and notice that i have ipg source city equals moscow now i can put any city that

recognizes there and i could set a filter for this and if i wanted to i could even add this as a filter button and i could always have that for quick reference later so i could filter on autonomous system number on country code i could also filter on the name of a city so this is a very useful feature in wireshark to know about especially when we're doing network forensics with wireshark thanks for stopping by i'll see you on another video [Music] you