Setting up Geolocation Services
By Phill “Sherlock” Shade
Geolocation information can provide valuable insight into pcap files greatly simplifying analysis. A frequent question I have received is “Can we preform Geolocation within Wireshark?” The short answer – Yes, we can! However, the longer answer requires us to configure Wireshark and locate the actual Geolocation information (in the form of Databases) from an external location. While the configuration process itself is fairly simple, as with several other features within Wireshark, the location of the Geolocation feature is not readily apparent.
A word of caution though, Wireshark itself does not track the location of addresses, but instead relies upon externally provided Databases. Therefore, the Geolocation process will only be as accurate as the Databases themselves.
- Create a new Folder named “GeoIP”:
(Note – This will be the default location for the Geolocation Database files so it is recommended to keep the path simple and direct)
- Download the current Geolocation Database files:
(Note – These files are procured from: www.maxmind.com as shown below and their location within the website changes frequently, so it might require some searching to locate them)
- Install the Database files into the previously created GeoIP folder:
- Select “Edit – Preferences -> Name Resolution” Link and follow the steps shown below:
- Load the pcap file and select “Statistics -> Endpoints -> IPv4 / IPv6”:
(Note – You can also locate the Geolocation information within a given packet as shown)
(Note – Consider making a “Custom Column” to display this information in the “Packet View” pane as well)
- A previously used feature that had been removed in earlier versions of Wireshark, has been restored in Wireshark 3.x series. The ability to plot IP addresses on a geographic display is useful in confirming that the actaul data flow matches expectations as well as identifying suspicious activity.
I hope that you found this information useful! This technique and many others are covered in our class:
“TCP/IP Analysis and Troubleshooting with Wireshark“. For additional information on this class and our numerous other offerings, please see our website:
https://www.cybersecurityinstitute.eu/ and look under the Courses Menu.