One of the many features Wireshark provides is the name resolution for various protocol layers, and I have to admit that – at least for me – some of them are really helpful while others (well, one of them, to be more specific) annoy the hell out of me. I really like MAC layer resolution, and often I enable network layer name resolution, but I really do not like protocol name resolution. Oh, and then there is GeoIP resolution, which is really helpful in some cases as well, but it takes a little time to set it up.
The idea behind GeoIP resolution is that you can see where an IP address is located and who the provider of that address is. It is very helpful in cases where you need to find out where packets are coming from or going to, and I had one case of a DDoS attack where GeoIP helped to tell that the source of the packets must have been spoofed since they seemingly arrived from all over the world:
With the help of the “Map” button at the bottom you can open a web browser that will present a world map with the originating addresses on it, as shown in the following screen shot. It doesn’t look like much since it only contains addresses taken from a short sample trace, but with the original traces of that attack the whole map would more or less be covered in dots:
Enable GeoIP in Wireshark
GeoIP resolution requires you to download a couple of database files first. I usually use the ones available for free at MaxMind. They’re not as exact as the ones they provide for paying customers, but usually they should be good enough in most cases. Download the gzipped files for “country”, “city” and “ASN” and unpack them in a directory of your choice. If you run Windows and do not have a tool that knows how to unpack gzipped files you might want to take a look at 7Zip – it’s free, too. You should end up with 3 or 6 .dat files, depending on whether you only got the IPv4 databases or also downloaded the IPv6 files.
To add a new directory, press the “New” button. This will open a small new dialog box where you can select the path you unzipped the files into. In my experience this can get a little tricky because it doesn’t always get you where you want to go, so I usually select the “Other” option at the bottom to browse to the directory in a more comfortable way:
That’s all for now, have fun tracking IP locations!