Map IP Address Locations with Wireshark (Using GeoIP)
ฝัง
- เผยแพร่เมื่อ 7 ก.ย. 2024
- Where is an attacker coming from? Using wireshark and GeoIP databases, we can map out IP locations (unless they are spoofed of course) to a browser with a click of a button. How?
First - you have to register and download the GeoIP Lite Databases (Free):
dev.maxmind.co...
Then, point Wireshark to the databases, look up endpoints, then toss them out to a map. Boom! You're done.
Like this video? Then show it! Please smash like and share it with all your IT buddies. That really helps me out.
Other links n' stuff:
== More On-Demand Training from Chris ==
▶Getting Started with Wireshark - bit.ly/udemywi...
▶Getting Started with Nmap - bit.ly/udemynmap
== Live Wireshark Training ==
▶TCP/IP Deep Dive Analysis with Wireshark - bit.ly/virtual...
== Private Wireshark Training ==
Let's get in touch - packetpioneer....
Special thanks to my cat, Pepé for his video-bomb!
![[LIVE] : ONE ลุมพินี 78 | คู่เอก "ปกรณ์ vs ฟาบิโอ"](http://i.ytimg.com/vi/LSOmgl0Th2c/mqdefault.jpg)
Very comprehensive & informative, easy to understand/follow. What was initially a intimidating tool, you managed to make it easily accessible. Excellent flow, I was so impressed and did not want to miss out on anything (FOMO!), that I took the entire course 3x's!! Thanks you so much!
We need to continue these videos Chris, they really helped us out. Thank you.👏😄
Thanks a lot for your wireshark masterclass! Really great content, the exact right deepth and very well explained! Please consider to continue this series!
Thank you!!
I started studying for my ccna 3 weeks ago. 1 week in I found your channel and been watching you ever since. Great content. Not sure if it applies to my ccna but still love learning about TCP/IP. Much appreciated 👍
Awesome! Go get that CCNA!
Dear Chris I'm so happy I found you through David Bombal. You guys have really help me a lot in my studies. Thank you so much for providing all these very useful materials. Love from Sierra Leone❤️
Great to have you here on the channel! Thank you for the comment and take care.
Dear Chris - I just went through the quick 10 video's of your's on wireshark and I must say that you have taught me a lot in TCP packet analysis. Many thanks. Keep up the good work and GOD bless you.
Wow, thanks!
This did not work for me at first, so I shut down wireshark and restarted it. Works beautifully. Thank you very much.
Sorry to hear that. Can I ask where you got stuck? Did you unzip the files into a folder, then add the folder (not the files) to Wireshark? Latest version of Wireshark?
I get a lot of questions about finding a computer’s location using the IP address. It seems the biggest challenges to locating a computer is NAT’ing and VPN usage.
Thanks again for your great work.
Yes, exactly. But at least if we see some public IP's we can have an idea of where they are coming from. Thank you for the comment!
I was thinking the same. I usually used IP's from Europe and south America.
Man, u r really oooosssmmmmmm. First things first your voice is really soothing, your way of expalaing concepts is great. U r covering topics that aren't even covered in expensive courses. Info tech field requires more people like u, informative, calm and great teacher
Thanks for the feedback!!
I just binged this whole series. Thank you so much
Awesome! Glad you liked it!
This series is great. Thank you very much for making it. Suggestion: Ideally you want a cheat cheat to go with each lesson for quick reference so you don't have to look through video when you forget where something is..
I like the idea! Thank you.
I suppose real hackers would never use a server inside their city and country to perform attacks though...
The cat is so nice) Thank you for your videos and kindness.
Yeah we first have to assume the IPs are either spoofed or proxied. But this can point us to some low-hanging fruit.
Thank you for this series, this will help me greatly in my cybersecurity goals.
Wow! I stepped through your video and whilst my screen (Win 10, WS v 3.6) did not reflect what was showing on yours, a little tinkering on my part and blammo, there it was.
Thankyou very much for the thorough explanation.
Nice! Glad it worked for you.
Thank you, great content!!
It is always nice when a cat comes to participate in the video 😇
Trying to get him back onscreen soon. 😀
Unfortunately the tar.gz and csv formats are not working for me and the .mmdb implementation seems more involved than what appears in this video. I'm running windows 10.
Update: If anyone else is having trouble like me just know that the tar.gz file has to be unzipped 2 times before you get to the .mmdb files.
i am having that exact problem. please explain and I'll sub.
@@bigolboomerbelly4348 unzip once, then a second time. Then you will see the .mmdb files.
Windows 10 also. I downloaded GZIP EDITION ID: GeoLite-ASN but it doesn’t give me the option to unzip, saved them to a local folder I named “wireshark stuff” not sure if that matters, please help ! Ps brand new to wireshark & all this computer stuff
This video helped me to complete my assignment. Thanks man
This is awesome. I use wireshark every day and did not know about this. Too cool. Thanks for sharing!
Hey Chris, can u make a videos how to include the country clumn?
I didn't get an email from maxmind, and i couldnt folow , but I watched the masterclass tutorial to the end
I performed all the steps. but Geo Ip doesnt appear in Endpoint
Amazing!! This really help give all this data a better understanding for novices like me on wireshark capturing.
Hi Chris, great content. Please don't stop posting this kind of content. Not sure why my setup did not work also I followed the instructions but had no luck.
Thanks for the comment. Hmmm… upgrade Wireshark? Restart it? Make sure you point Wireshark to the folder with the mmdb files, not to the files themselves.
These are great tutorials thanks for your time and effort.
Glad you like them!
Very Useful feature and it is easy to set up! Thank You for showing us how to set this up.
Glad it was helpful!
This is an awesome feature, thanks for sharing!
It really is! I use it quite a bit.
Thank you for the content, and for letting kitty participate!
Hi Chris , thank you for the informative tutorial ..I tried to use the geo location feature but it seems country and location tab removed from endpoint section in version above 3.6.8 above as it shows RX , TX packets/byes only tried in windows and Linux same result.
for me the city/country tabs showed up no lat/long and no data!
Hello Chris, I really appreciate all your classes. I actually tried doing it your way this time using Maxmind exactly the same way that you did to get those ip location but I didn't find any, pls what could be the reason.
Thank you very much proffessor Chris. This is a great toturial for us
Glad you liked it!
Thanks for the tips. It works well for me on Windows PC with WS 3.6.1
Thanks for the comment!
We love the cat!
thank you @Chirs Geer for the Wireshark masterclass sessions. Your content is great. I will look forward to future session with latency in TCP and jitter in UDP. I love your cat :) seems like (he/she) wanted some "shark"fish for snacks :D
Awesome, thank you!
which is good, downloading Geolite files in binary format or in CSV format?
Nice feature in Wireshark! Thanks for sharing with us!
thanks for the comment!
That’s pretty cool. Also, the cat is a nice touch.
Thanks!
The geo files were SHA256 and GZIP. I had no clue what to do with them on a Windows device or how to extract files like that.
Yet again a fantastic video!!!
Thank you for sharing the knowledge!
My pleasure!
Sir i have learnt the best advice from you..but i wish to know exact location with the IP address so How do i find out the details so please you can take any video on this issue ..
I hopefully you can give the reply to my message
Thank you! Once again another very useful and awesome tutorial.
Thanks, that was awesome. Very clear. Got it setup and working :) Think this will be useful.
Nice work
3:52 cat is like : this guy crazy again, talking to objects ... need to sit with him and make sure he does not harm himself 😾
I think you're right - my cat was like "He's gone crazy!"
@@ChrisGreer Awesome tuts man, went from 0 to feeling like a little expert, def gonna watch the 1h ones also
Is Maxmind just taking this data from the WHOIS record for the IP registry?
Hi Chris, I just followed all steps but Whireshark is not allowed to open the files: when I click plus so add so point to that folder, Wireshark don’t see them, they are grey.
Why?
I have a macbook
while i'm opening the map it shows blank page only.
i'm using linux system.
i've configured databases too..
it actually works! thankyou, but after using it for a couple of days i tried the same procedure.. but instead showing the map after clicking on 'open in browser' it opens a notepad, how do i fix this ?
Subscribed 'just' for the cat,,, he is just like mine,,, very interested in databases,,, ;-) an the food I gave him to let me work ;-))
Nice tip, Thank you. I'm going to try it right now.
Awesome! let us know how it worked.
I did the same process like you but it is not working, can anyone help me to resolve this problem.
This is useful for cases where you get a call that starts like "hello sir this is jon peters from microsoft"
Haha... totally.
is it necessary to download geolite in order to find the location of IP address?
Thanks lot. for this Knowledge
im not sure what files to download on maxmind, ive downloaded some zips but they dont seem to be workinbg, d i need to open the,
when i download the database? which type do i choose? CSV??
dear Chris your viedo is very usefull for me .. but I need how to export this ipmap.html file using TSHARK cmd .. not in GUI mode ..pls tell me ..
the map feature is not working in my wireshark maybe version issue or something else i am using wireshark 4.0.3 and maxmind database is working fine but map is not working after clicking show in browser any one knows about this
Will you do more of these wireshark classes? say an advanced troubleshooting for pissy clients blaming the storage solution for their garbage network, vpn, or whatever? =D
Hi Chris, I have a problem with the map that can be exported from the endpoint statistics. I have Ubuntu as OS and Wireshark always runs there with root rights. The exported ipmap.html file is then also stored as root user and group. Therefore, I cannot open the file with my Chrome browser. I have already tried to change the user and group of the ipmap.html to my default user, which worked and I can now open the file, but I only see a white background without a map.
The map cannot be opened directly from Wireshark either.
Do you or anyone else know what to do?
Hi Chris first happy New year sir, realy i was about to ask u this u are Just a GOd gift sir thx
Is there away to narrow the search even further say to a physical address? ie coffee shop or home address?
Wow, that's really cool!! Thanks Chris!!
Glad you liked it!
great stuff and tool
Great stuff.
Hey Chris. Thanks for this amazing lessons. I just want to quickly ask, Does VPN hide the real address from Wireshark mapping for the Geolocation?
It depends on where the capture is taken. Outside or inside tunnel?
@@ChrisGreer Thank you Chris
Cool feature. I wasn't aware of it before. Next time please introduce your cat😼
I will! I put his name in the description, but I will do a proper intro next time. 😀
if they're using a vpn we're taking the vpn's ip or the persons's ip?
Thanks a lot for sharing this great information.
Glad it was helpful!
Thank you very much
mine map button is faded , how to resolve it?
Great tutorial, thanks!
Glad it was helpful!
Hello, thank you for posting those videos! But I have a question regarding geoip. Is there any tool or method to identify top 3 source ip countries in wireshark?
Yes! Statistics - Endpoints - sort on bytes to get top talkers. Look at top three country codes.
@@ChrisGreer Thank you so much!
@@ChrisGreer What if there are single packets from different ips being sent? how to identify the top countries then?
I would use tshark to do that. Read the file in, show the unique country codes and the number of incidents per code. Sort column, top three are your answer. Here is a video of generally how to do this - you would just need to export the GeoIP country code instead of the User Agent as shown in the video. th-cam.com/users/shortsT-PaBudIrUI?feature=shared
Nice feature, thanks!
Thanks for the comment Alex.
Simply great, thanks a million.
You bet - thank you for the comment.
Hi Chris, i'm using ubuntu 22.04 but it's not working! do you have any updates about that?
Thank you anyway for introducing cool stuffs.
Hi Chris...The geo location thing is not working for me. I extracted the zip files and placed the three files in a single folder. The file type shows "MMDB File" however in your video your file type was "Document". DOes that make any difference? else why is the source GeoIP missing in my feed? My Wireshark Version 4.2.1 (v4.2.1-0-gcfe37f471da9).
Really awesome! Thanks
Hey Chris, love your videos keep up the good work.
I see you have some great custom wireshark profiles
Could you share all your wireshark profiles with us so we can download them?
Hello Pim, sure! I am working to get them posted on my website. I'll get them out to you guys soon!
Funny. If you watched his other videos, he says he never gives his capture filters out. Need to customize to your preference on troubleshooting.
much thanks
Thanks :) Another useful video :)
Thanks for the comment @BlueSpaceship
i live in syria i cant make account on maxmind bcs its banned here what i can do and thank you
I don't know why the Wireshark crashed when I click on (three dots ...) in Max Mind Database Path, I'm facing this issue for a months now also I tried to uninstall and download new one, but same issue
Hey Saeed, I see that when I touch the three dots two, ever since I upgraded to a Mac M1. I had to manually put the folder path in the bar instead of using the three dots. That made it work.
Which version of Wireshark is this?
Hi Chris ... really appreciate you sharing knowledge like this. This is awesome! I just have one question ... the Map does not seem to be displaying on any of my browsers. I tried to view it two ways ... through the Wireshark Endpoint window by clicking "Map --> Open in Browser" and by "Save As ...". Either of those files created, I changed the permissions from 600 to 666 and still did not display. Any suggestions? Again, thank you for doing what you are doing ... 🙂
Nevermind ... it seems to be a Debian/Kali issue ... corrected it with ... sudo apt install libjs-leaflet libjs-leaflet.markercluster ... again, thank you for sharing your knowledge!
Chris, hi. Maybe I'm wrong but seems like it's not Moscow but Saint petersburg. The DC Selectel mentioned in the video is located in Petersburg and a traceroute to the IP proves it. The last and penultimate hops belong to Saint petersburg. Maybe GeoIP puts Moscow because of IP PI block's provider located in Moscow? If that is correct how can we believe that an attack comes from A and not B? Thanks for your videos
Yeah you could be right. One of the reasons why I mentioned in the video that we have to take the location with a grain of salt... It's just what the database says. Before being absolutely sure I would definitely do more research on a given IP for location and other company data. And then... IP's can always be spoofed, which would make GeoIP irrelevant.
@@ChrisGreer Exactly! There is no magic wand as always;) Thanks for your time!
Your cats cute
yeah but when someone used vpn you take the wrong geoip?
It didnt work for me. I download the same format and it never populated. Not sure why.
I'm looking into why this isn't working on Windows all of a sudden. I'll post when I figure it out. Thanks for letting me know.
it wouldn't let me make an account because i dont have a company or can i just type anything in company name box even if i dont have a company im right now a student trying to gain skills and education to get my foot in the door in the cyber security field
You probably could put your school name in the company field.
Hi, Chris, I'm having a hard time making it work on my Windows version of Wireshark. I downloaded it for MMDB but it was formatted in tar.gz not .mmdb. So I formatted it to .mmdb, point it to my path folder, restarted Wireshark but no luck. Is there something I missing?
Hi Kevin - hmm.. I think it has to do with the way it was unzipped. Go ahead and reach out to me at packetpioneer (at) gmail.com and we will try it with an unzipped mmdb that works on my end.
@@ChrisGreer Hi Chris! Unfortunately, I have also run into the same problem. Is there a way to resolve this? Would appreciate the help
I'm having the same issue. All the DL links are for tar files. It made me think I'm looking in the wrong place. Anybody get this figured out?
Cool stuff!
Thank you!
Thank you
First video of the new year
sure is! Buckle up for a whole lot more in 2022.
very good
Thanks
Can I determine the scammer location
Hello Chris, fantastic content. I just found your TH-cam channel and am going through most of your videos trying to learn a lot about wireshark. I ran into a problem trying to figure out how to get everything to show up here. I downloaded the 3 items from Maxmind. The GeoLite2 Country, City, and ASN databases and mapped them in the maxmind database directories tab under preferences and name resolution. They are all in one file location on my desktop. However i cannot get any of the information to show up in either the IP drop down or the statistics - endpoint window. Do you have an idea on what i could have done wrong? maybe i downloaded the wrong file formats? i am running windows 11 and have wireshark V4.0.4. I see the Map button however, it is greyed out i believe due to no country, city, or asn's showing up in the end point screen.
Hello, I have the same issue, running Wireshark on windows 10.
@@aidamaja8712 did you manage to solve this problem?
did you manage to solve this problem?
@@user-in5gm4xt7e I am having the same problem
Hi guys, I am also having the same issue, I am running it in Windows 11 home edition. But, I noticed that Criss uased the 2021 version and I downloaded the 2023 version of these databases. I am not sure if that is part of the problem.
Hey Chris, the maps button/layout has moved or gone. Does it existing on latest mac editions now?
Yeah they moved it to the left column on 4.0 and newer.
@@ChrisGreer Can't see a way to enable it. My windows box has it enabled
@@JohnMandersonBM Make sure you are on Statistics | Endpoints - Then make sure you have the IP button on top selected. You should see the Map button on the left activate.
👍👍👍👍👍
Graet
I followed the process (download the Gzip file - extract - pointed the folder in Wireshark) but still, it's not working for me 😐
Hmm.... reboot wireshark? after that, reboot system? (I HATE that as a solution but sometimes we need to kick Wireshark to see the folder and use the DB.
@@ChrisGreer Still no luck.🙄
@@prasadshinde8271 Me too. Do you have the Windows version of Wireshark?
@@KevinCrabb Yes
The cat was distracting :D
What if the person spoof his ip?
Then it will show up in the location of where the spoofed IP is registered. So like we said in the video, it's a feature you kinda have to take with a grain of salt.