Geolocation in Wireshark

Throughout my career, I have spent a considerable amount of time using and studying packet captures. One of the more difficult things when analyzing traffic is simply wading through the unimportant stuff and looking for that which is more significant.  If you have not spent a good deal of time studying traffic, it may even take a few minutes to even find the conversation that you are looking for. I typically do a combination of string searches, name resolution and filters to narrow down my field of view and focus in on what we are interested in.  Wireshark, my favorite protocol analyzer, has come a long way since its earlier days of Ethereal.  The traditional filter mechanisms are elegant and full featured, but I would like to introduce one of the new and exciting features and how it expands our capability to filter.

This cool new feature is the GeoIP capability.  If you have the current version of Wireshark, you may have the ability to use MaxMind’s GeoIP database during your network analysis process.  It is really cool to be able to do things like filter by city, country, BGP Autonomous System Number (ASN), latitude range, longitude range, and company name.  Furthermore, it is nice to have the awareness that can be realized by having a column for the company name/ASN and Country in the packet lists and the ability to plot the endpoints on a map.  This feature is not enabled by default and can have an impact on performance.  So this is one of those things that you may want to use on a circumstance by circumstance basis.  Additionally, there is a little bit of work that is required to getting this going the first time.

Image1.png

To use the GeoIP features in Wireshark, it is first necessary to make sure that the feature was compiled in the version of Wireshark that you are currently running.  To do this, simply launch Wireshark then go to “Help” and “About Wireshark”.  On the “Wireshark” tab, look for the words “with GeoIP”.  If this is present, your version of Wireshark supports GeoIP.

Image2.png

The next thing we need is the actual GeoIP databases. Wireshark currently uses the MaxMind binary GeoIP databases.  There are free and paid versions that are available.  The free ones are called “GeoLite” Country, City and ASN.  The free Country and City databases are slightly less accurate than the subscription based ones.  In any case, these are a good starting place if you are interested in the GeoIP features in Wireshark.  To download, go to the following urls:

http://www.maxmind.com/app/geolitecountry >> Download the latest GeoLite Country Binary Format

http://www.maxmind.com/app/geolitecity >> Download the latest GeoLite City Binary Format

http://www.maxmind.com/app/asnum >>Download the free database “GeoIPASNum.dat.gz”

The next step is to extract these files into a common directory using an archive utility like Gzip (*NIX) or 7-zip (Windows).

Image3.png

Now that we have the necessary databases, we need to point Wireshark to the databases and enable GeoIP as a resolution method.  To do this, go to “Edit” then “Preferences”.  Then in the left column expand “User Interface” and choose “Name Resolution”.  To set the database location, choose the Edit button for GeoIP database directories.  Next set the directory as appropriate, “c:\geoip” in my example.


Image4.png

Apply those settings but don’t fully exit out of “Preferences”.  We still have another thing that we have to do.  So still in “Preferences” we need to enable IP GeoIP resolutions.  To do this, expend the “Protocols” in and select “IP”. Place a checkmark in the box “Enable GeoIP lookups”. Now we can start using this cool new feature.

image6.png

The first thing to note is that there is no GeoIP data populated for private address ranges.  So make sure that you capture some real data that is going to a non-RFC1918 address space.  After doing so, there are some new things that you will notice.  Expand an IP header in the “Packet Details” and you should see source and/or destination GeoIP information.

image7.png

I also wanted some of this information displayed in the “Packet List” so I added a column for “Destination GeoIP AS Number” by right-clicking the appropriate field and choosing “Apply as Column”

image8.png

We also now have the ability to add more creative filters.  For example, we could use the following filters.

Match Packets with a Destination IP address in the United Starts
ip.geoip.dst_country == "United States"

Match Packets to or from an IP address North of the Arctic Circle
ip.geoip.lat > "66.5"

Match packets to or from an IP address in California.
ip.geoip.city contains "CA"

The display filter syntax has actually been expanded to include the following:

ip.geoip.asnum
ip.geoip.city
ip.geoip.country
ip.geoip.dst_asnum
ip.geoip.dst_city
ip.geoip.dst_country
ip.geoip.dst_lat
ip.geoip.dst_lon
ip.geoip.lat
ip.geoip.lon
ip.geoip.src_asnum
ip.geoip.src_city
ip.geoip.src_country
ip.geoip.src_lat
ip.geoip.src_lon


I have not seen the following work, but they are also included in the documentation.  Maybe they are "coming soon", or possibly they require another database.

ip.geoip.dst_isp
ip.geoip.isp
ip.geoip.org
ip.geoip.dst_org
ip.geoip.src_isp
ip.geoip.src_org


The final feature that was added with GeoIP is the ability to see this information in “Endpoints”. So if I click “Statistics” then “Endpoints”, I bring up a list of all endpoints from different layers of the OSI model.  By choosing “IPv4”, I can see the new columns of “Country”, “AS Number”, “City”, “Latitude” and “Longitude”.  I also have the “Map” button.

image9.png

If I choose “Map”, Wireshark launches an OpenStreetMap view of my endpoints in my default browser. By clicking individual endpoints, the AS Number, Country, City, Packet and Byte counts are displayed.

image10.png

Packet analysis can be a daunting task.  However, it is something that the more that you do it, the easier it becomes.  Becoming comfortable with doing protocol analysis is crucial to most of  our careers.  Not doing so can limit our knowledge and our potential.  I  would recommend that everyone work to further their skills in this  area.  I also want to mention that Laura Chappell wrote an excellent  book about Wireshark and protocol analysis. I recommend it to anyone  seriously desiring to understand how things work.  Understanding what is going on  from the wire perspective is crucial to configuring the Cisco products that we use to transmit frames and packets as well as to understanding security.  When troubleshooting, I often see people using a “sniffer” as last choice.  In many cases it should be the first choice.If not very familiar with protocol analysis, people tend to be overwhelmed with gazillions of packets, or focus on something that is meaningless in the big scheme of things.  I see one benefit of GeoIP is helping us get a 10,000 foot view.  That can help bridge the gap between the 40,000 foot view and the 1,000 foot view.  By providing new and exciting ways to create display filters, Wireshark can help us more quickly focus on what is important to us.

Use Pen drive or Memory Card as RAM in Windows



RAM (Random Access Memory) is the memory which computer uses to work on different processes.The more RAM you have, the faster the process is.

As now a days there are large number of programs and software's which require a large amount of RAM to be run properly.

Usually Most Of the Old Computers Has on 512MB or 1GB RAM. But, that’s not enough to run some High Memory consuming software's. 
Especially, the Games require a big amount of RAM to play smoothly. I have faced many problems with Games on my computer due to RAM. 

First I,ll show you a manual way and after that I,ll provide you a software for this purpose.

The basic scheme is this that we are going to use a pendrive or USB drive as a RAM, yes it is possible all the memory available in a removable pendrive/USB can be converted into RAM to increase the working speed of the computer.

So, here I am going to show you how you can use your USB Pen Drive as RAM.

If you have 512 MB of RAM or even if it is just 1GB then this post is especially for you.

KKK LETS START 

Manual Method to Convert USB/Pendrive Into RAM:-

How to use pendrive as ram memory in windows xp!!

Here is the required procedure for converting USB/pendrive memory into RAM manually…

1) Plug your pendrive into PC/laptop (Minimum 2GB Maximum 4GB 
     for better Performance). Format your Pen drive with FAT file System.

2) Right Click On My Computer.

3) Open up properties.

4) Go to Advanced Option.

5) Now select Settings of Performance.

6) Again Click on the Advanced Button which is shown 
     In the popup Window.

7) Now click on Change button shown in Virtual memory.

8) Now, from the local drives list, click on your Pen Drive letter.
     Then Select Option "Custom Size"

     Set the "Initial Size" and "Maximum Size" as  
     depend upon your Pen drive Space....

9) After than click on Set and apply the changes.

10) Restart your PC/Laptop and Thus you are done.



A very very Important Suggestion to UNDO this 
Follow till Step 7 after that set the initial size and maximum size to value 0 (ZERO).

Click SET then select the option no paging file button.Once you do this DO NOT REMOVE YOUR DRIVE.

MAKE SURE TO SHUTDOWN YOU COMPUTER FIRST.
OK NOW ITS SAFE TO PULL OUT......


How to use pen drive as ram memory in windows 7 and windows vista.


* Windows 7 and Windows vista comes with a ready boost option. *

- What is ready boost
Ans - "ReadyBoost is a disk cache component of Microsoft Windows, first introduced with Microsoft's Windows Vista in 2006 and bundled with Windows 7 in 2009

It works by using flash memory, a USB flash drive, SD card, CompactFlash, external hard drive or any kind of portable flash mass storage system as a cache.

If you are using a high configuration PC, It doesn't show any effect on speed because if you are a normal user I think only a few times you use your full ram memory but if you are using an old pc with low ram memory(Like 512 MB or IGB) and harddisk & using vista or 7. 

It speed up your PC and you will see the result, reduced application data loading time, reduced shutdown and restart time and many more you can't imagine without High ram memory.

How to use this feature

1) Format your Pen Drive with FAT file System.
2) Now go to properties->Select ReadyBoost.



3) Check Use this device->
     Choose maximum space to reserve system speed.

4) Click on Apply and OK. 

5) Your readyboost PenDrive is ready Now to Use.


Recommendations:

Do NOT pull flash drive out of USB Port while it is being used as a ReadyBoost device.

Do NOT save any data files on the flash drive when it is being used as ReadyBoost device.


Using eBoostr Software to Convert USB/Pendrive into RAM.


A clean software is also present for this purpose which is known as eBoostr, It will convert your removable device memory into RAM and thus computer speed will be increased to a large extent.

Is Eboostr Free and which windows is capable of running it?

No, Eboostr is not free and it is available at a non-expire able trial version it means that we can use it continuously for just 4 hours. After that our PC will have to be restarted in order to make eBoostr active and working again.
And those who are members pls ask me for key in Group or Blog comment.
I will Inbox you.


DOWNLOAD eboostr FULL VERSION HERE

Use Hidden RAM



32 Bit version of Windows 7 cannot use RAM over 3.25 GB

eBoostr can utilize this RAM in the creation of an intelligent cache, boosting your system's performance

Installation procedure:

Install the file given and when it asks for a reboot give as to reboot manually later.


Next go to task manager and find EBstrSvc.exe and eBoostrCP.exe and end their processes





Now open the crack folder and copy the 2 files and copy them to C:\Program files\eboostr

And now restart your PC and start using eBoostr Full Version.

And i am also posting the way to use it..

Follow the screen shots:

To initialize the device





To Remove the Device after Using



Don't forget to Remove the cache device before you shut down your system or else it leads with an error..!

WireShark Quick Reference filter

Image:Screenshot-(Untitled)_-_Wireshark-3.png

Capture filter

host 192.168.0.1

not host 192.168.0.1


ether host 10:10:56:40:15:82


tcp port 80


ip and not broadcast and not multicast - only ip and no brodcast


not host 164.168.0.1 and ( arp or port 137 or port 138) - gives 

arp and brodcast

net 192.168.0.0 mask 255.255.255.0 - ( should be .0 in end of net .1 is syntax error)


http://wiki.wireshark.org/CaptureFilters - more
http://tiger.la.asu.edu/Quick_Ref/tcpdump_quickref.pdf.


Display filter


One word filters: dns, ip, tcp, utp, http, irc

ip.addr == 192.168.0.1


not ip.addr == 192.168.0.1


eth.addr == 00:11:11:35:11:14


tcp.port == 139


udp.dstport == 53 - show all dns queries (no answers)


http.request.uri contains "jpg" - search in url string on GET

Right click on a TCP packets choose "Follow TCP Streams" now HTML or XML commands show in plain text.


Menu Analyse -> expert info composite, show all or error and warnings


Menu Statistics -> Endpoint list-> IPv4 or TCP or UDP, give clear over datatrafics against different IP or ports 


Menu File -> export -> objects -> HTTP downloaded files or html pages


More display filter


frame.pkt_len < 1500 - filter out all max lenght packet

ip.addr eq sneezy/24

ip.addr == 129.111.0.0/16


ip.dst != 10.12.0.0/16


http.request.method == "GET"


frame[100-199] contains "wireshark"


http and frame[1-100] contains "GET"


http[0-3] contains "GET"


http[0-2] == "GET"


eth.src[0:3] == 00:00:83 - sort out a vendors mac