Throughout my career, I have spent a considerable amount of time using and studying packet captures. One of the more difficult things when analyzing traffic is simply wading through the unimportant stuff and looking for that which is more significant. If you have not spent a good deal of time studying traffic, it may even take a few minutes to even find the conversation that you are looking for. I typically do a combination of string searches, name resolution and filters to narrow down my field of view and focus in on what we are interested in. Wireshark, my favorite protocol analyzer, has come a long way since its earlier days of Ethereal. The traditional filter mechanisms are elegant and full featured, but I would like to introduce one of the new and exciting features and how it expands our capability to filter.
This cool new feature is the GeoIP capability. If you have the current version of Wireshark, you may have the ability to use MaxMind’s GeoIP database during your network analysis process. It is really cool to be able to do things like filter by city, country, BGP Autonomous System Number (ASN), latitude range, longitude range, and company name. Furthermore, it is nice to have the awareness that can be realized by having a column for the company name/ASN and Country in the packet lists and the ability to plot the endpoints on a map. This feature is not enabled by default and can have an impact on performance. So this is one of those things that you may want to use on a circumstance by circumstance basis. Additionally, there is a little bit of work that is required to getting this going the first time.
To use the GeoIP features in Wireshark, it is first necessary to make sure that the feature was compiled in the version of Wireshark that you are currently running. To do this, simply launch Wireshark then go to “Help” and “About Wireshark”. On the “Wireshark” tab, look for the words “with GeoIP”. If this is present, your version of Wireshark supports GeoIP.
The next thing we need is the actual GeoIP databases. Wireshark currently uses the MaxMind binary GeoIP databases. There are free and paid versions that are available. The free ones are called “GeoLite” Country, City and ASN. The free Country and City databases are slightly less accurate than the subscription based ones. In any case, these are a good starting place if you are interested in the GeoIP features in Wireshark. To download, go to the following urls:
http://www.maxmind.com/app/asnum >>Download the free database “GeoIPASNum.dat.gz”
The next step is to extract these files into a common directory using an archive utility like Gzip (*NIX) or 7-zip (Windows).
Now that we have the necessary databases, we need to point Wireshark to the databases and enable GeoIP as a resolution method. To do this, go to “Edit” then “Preferences”. Then in the left column expand “User Interface” and choose “Name Resolution”. To set the database location, choose the Edit button for GeoIP database directories. Next set the directory as appropriate, “c:\geoip” in my example.
Apply those settings but don’t fully exit out of “Preferences”. We still have another thing that we have to do. So still in “Preferences” we need to enable IP GeoIP resolutions. To do this, expend the “Protocols” in and select “IP”. Place a checkmark in the box “Enable GeoIP lookups”. Now we can start using this cool new feature.
The first thing to note is that there is no GeoIP data populated for private address ranges. So make sure that you capture some real data that is going to a non-RFC1918 address space. After doing so, there are some new things that you will notice. Expand an IP header in the “Packet Details” and you should see source and/or destination GeoIP information.
I also wanted some of this information displayed in the “Packet List” so I added a column for “Destination GeoIP AS Number” by right-clicking the appropriate field and choosing “Apply as Column”
We also now have the ability to add more creative filters. For example, we could use the following filters.
Match Packets with a Destination IP address in the United Starts
ip.geoip.dst_country == "United States"
Match Packets to or from an IP address North of the Arctic Circle
ip.geoip.lat > "66.5"
Match packets to or from an IP address in California.
ip.geoip.city contains "CA"
The display filter syntax has actually been expanded to include the following:
ip.geoip.asnum
ip.geoip.city
ip.geoip.country
ip.geoip.dst_asnum
ip.geoip.dst_city
ip.geoip.dst_country
ip.geoip.dst_lat
ip.geoip.dst_lon
ip.geoip.lat
ip.geoip.lon
ip.geoip.src_asnum
ip.geoip.src_city
ip.geoip.src_country
ip.geoip.src_lat
ip.geoip.src_lon
I have not seen the following work, but they are also included in the documentation. Maybe they are "coming soon", or possibly they require another database.
ip.geoip.dst_isp
ip.geoip.isp
ip.geoip.org
ip.geoip.dst_org
ip.geoip.src_isp
ip.geoip.src_org
The final feature that was added with GeoIP is the ability to see this information in “Endpoints”. So if I click “Statistics” then “Endpoints”, I bring up a list of all endpoints from different layers of the OSI model. By choosing “IPv4”, I can see the new columns of “Country”, “AS Number”, “City”, “Latitude” and “Longitude”. I also have the “Map” button.
If I choose “Map”, Wireshark launches an OpenStreetMap view of my endpoints in my default browser. By clicking individual endpoints, the AS Number, Country, City, Packet and Byte counts are displayed.
Packet analysis can be a daunting task. However, it is something that the more that you do it, the easier it becomes. Becoming comfortable with doing protocol analysis is crucial to most of our careers. Not doing so can limit our knowledge and our potential. I would recommend that everyone work to further their skills in this area. I also want to mention that Laura Chappell wrote an excellent book about Wireshark and protocol analysis. I recommend it to anyone seriously desiring to understand how things work. Understanding what is going on from the wire perspective is crucial to configuring the Cisco products that we use to transmit frames and packets as well as to understanding security. When troubleshooting, I often see people using a “sniffer” as last choice. In many cases it should be the first choice.If not very familiar with protocol analysis, people tend to be overwhelmed with gazillions of packets, or focus on something that is meaningless in the big scheme of things. I see one benefit of GeoIP is helping us get a 10,000 foot view. That can help bridge the gap between the 40,000 foot view and the 1,000 foot view. By providing new and exciting ways to create display filters, Wireshark can help us more quickly focus on what is important to us.