setting up geoip in wireshark

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] folks it's Tony Fortunato from the technology firm today I want to talk to you a little bit about how to use goip and Wireshark now people bring this up all the time and they feel it's a daunting task it's not that bad so I'm going to walk you through it I'm going to show you some tips and tricks along the way and hopefully get you going with it so the first thing we need to do is set up Wireshark the way we like to see it and I'll show you the way I do it you don't need to do it this way but the way I like to do it is I get rid of the bottom pane called the packet bites so I uncheck that I also turn off the colors because right now the colors aren't helping me with anything and I find them extremely distracting now we're going to double check our IP header to make sure there is no geoip information being provided because it shouldn't be right if you haven't set it up but in case you're sharing a computer with somebody else or something like that you might want to just see you would see it somewhere near the bottom of this and we don't right so the first thing I need to do is go get these geoip files these database files so what you do is you go to maxmind.com you set up a free account and you go to the download area and please pay attention to the types of files you can download because there's two types of files the first one is going to be a CSV comma separated value you don't want that right you want these binary files these mmdb files that's what you want and you're going to download them to gzip files there's three of them if you don't know which one you want uh just get all three of them they're not that big and then you just unzip them throw them in a folder please pay attention to where that folder is then we go back to Wireshark okay so in Wireshark we go to edit preferences down here we have name resolution and if you take a look here at the bottom it says Max mine database directories edit so from here I'm going to hit the plus button there's the path you can type it in manually or you get the browse button it's entirely up to you how you want to deal with that okay and okay so here's the thing this is where people get tripped up whenever we do these classes people start freaking out because things aren't working out for them there is no geoip here what did I do wrong blah blah blah blah well two things two things number one do you have an actual address that can be geolocated for example these are private IP addresses 10.44 right that's not a public address oh so how do we get a filter so we can just see our public IPS well that means we want to catch anything that goes through the router that implies not local right in a big enough company going through a router just means you go on a different floor but in this case it's a lab I know we go through the router and we go to the internet I know that and the router is a ubiquity router so it's probably going to be a ubiquity Mac address there are a lot of ways to figure out the MAC address I'm not going to get into that with you right now I'm just going to go with statistics endpoints and there's ethernet I'm going to hit name resolution and you'll see at the bottom here there's ubiquity right here so I'm going to just right click on it apply as a filter select it boom and now we have a filter of just stuff we've gone through the router four so you can see 176 103 that's obviously out on the Internet it's a DNS okay now we know that and now if we scroll down here at the bottom look what it says destination geoip oh look at that Cypress see that Cyprus country code AS number so on and so on and so on now from this point on people want to see that in my packet list here they want to see the word Cypress the country right easiest way to do that just right click and then we're going to apply that as a column right here see that right there now pay attention it says destination goip so when the destination is a private address you don't see anything so there's a few ways of dealing with this number one you might not even care so who cares but if you are the kind of person that said no no I want to see every single line I want to see what country it is just so I don't miss anything sure right click and you go to edit and you can see right here it says ipgoip.dst country well you can just get rid of the DST see that okay now we're good to go right so that's kind of cool now if we want to take it a step further the other things people like to do with it now that we have this field that we can filter on I can do a quick display filter and say hey if geoip country is the United States show me well let's see what's happened but boom and there they are so now we can see all the packets that was for United States in this case it's got old Microsoft updates so if you noticed I did not turn on name resolution I don't need that for goip that's one of the myths and misconceptions out there I do not need name resolution for geoip to work geoip just needs those database files as long as it's a public IP and it's in that database you're good to go so right now we've done all this and we might want to turn that on so I go to edit edit preferences and this time we're going to name a resolution and I'm going to turn on resolve Network IP address okay and you will see that there you go see that now we have name resolution along with the country because hand in hand they tend to make a little bit more sense right because United States is a big country you know I don't know what that is and this really does help so there you go folks hope that helped you out have a good day bye for now [Music]

Info

Channel: The Technology Firm

Views: 2,920

Rating: undefined out of 5

Keywords:

Id: 6p20HQNf-Bw

Channel Id: undefined

Length: 5min 53sec (353 seconds)

Published: Thu Jul 06 2023