Wireshark is a very powerful tool for capturing and analyzing network traffic. Being a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006. It is available on Linux, Windows and Mac.
Download Wireshark: https://www.wireshark.org/
What is IP Geolocation?
A public IP address is in most cases allocated to certain IP blocks per country, company or other entity who has bought an IP address/block. These entities are often registered in specific cities. This means that we can use IP addresses to figure out where the device connecting with that IP is located. To a certain extend that is. Unlike a coordinate, the geographical location of an IP address, is based on the information it is registered with.
When geo-locating an IP address, your results will be based on where the holder of that IP address is registered. Which most likely is the country and city where that entity resides. This makes IP Geolocation fairly accurate in most cases.
Why use IP Geolocation?
Besides angry teenagers in Discord servers and videogames, trying to dox fellow players or send a SWAT team to their house. IP Geolocation is very useful when troubleshooting certain network issues.
Say for example you have a customer who’s SaaS application sometimes times out. They operate in different parts of the world, so you serve their content over a CDN or VPN… But despite that they experience delays and timeouts. Running Wireshark using a ring-buffer to capture the issue, allows you to find the IP’s serving content too slow, or not at all. To then figure out where these addresses are based, or to really make sure all that content is being served over your CDN or VPN. You can enable Wireshark to display a map with all connecting IP addresses. This allows you to identify where in the world this slow traffic originates, and mitigate accordingly.
This is of course a very specific example, to which Wireshark Geolocation is not limited to. We can see application in verifying GDPR compliance claims, spot other third party processing, map ad-networks, troubleshoot VPN issues and the list goes on.
How do I get this setup?
So first of all you’ll need Wireshark. Completely free to download and a must-have in the toolbox of anyone remotely interesting in networking. Install Wireshark and come back once it’s up and running, do not forget to install the actual capture tools.
Download Wireshark: https://www.wireshark.org/
Head over to MaxMind, login or create an account first. Maxmind has a lot of excellent paid services, but we’re here for the free stuff, no need to pay anything.
After logging in, head over to the Downloads sections. Grab all three databases in ZIP/Archived format: GeoLite2 ASN, GeoLite2 City, GeoLite2 Country.
Extract all three archives and place the database files in a persistent location in your filesystem. Preferably somewhere it doesn’t get deleted by accident. Make sure all database files are in one folder.
Open Wireshark and click “edit” -> “preferences” -> “name resolution”. There you can edit the MaxMind Database Directories. Add the path to the folder where you just saved those databases. Click “OK” and click “OK” again to save.
Now time for some magic. You may already have a PCAP (Packet Capture) file ready, or do a capture right now. In the Wireshark start screen (right after opening Wireshark), select the interface that shows actual traffic going around and hit the blue shark fin button in the left top. If you do not have any interfaces available that show traffic, you probably need to open Wireshark as an administrator on Windows, or run “sudo wireshark” from your Linux terminal. At the end of the capture, hit the red button in the left top of the capture screen.
Excellent stuff! Now that we have our capture, click “statistics” -> “endpoints” in the top navigation bar.
Select “IPv4” (or IPv6 if you want to see that traffic). In the right bottom, click “map” -> “open in browser”. If nothing opens in the browser, use “save as” instead and open the file locally.
And there you have it! A beautiful interactive map where you can see where the IP addresses in your PCAP connect to. The items are clickable and will give you some extra information:
– IP address
This should help identify traffic and visualize problems related to latency, how far traffic has to travel, if traffic comes from the right source and many more things.
BONUS: If you are not a fan of manually downloading new GeoIP databases every week. There’s a project on Github that will automatically update your Maxmind databases.
Head over to: https://github.com/maxmind/geoipupdate/releases
They offer just about any type of installer you might want. Though my test was on Fedora Linux, being very easy to install. Downloaded the RPM package and installed without any problems.
I’ll be doing more Wireshark articles and tutorials in the future. It’s a tool I use almost daily and I believe most people don’t use 10% of everything this fantastic free software is capable of. Thank you for reading and until next time 🙂