Introduction to tracing IP Address with Wireshark
There are times when we need to trace an IP address back to its origin (Country, City, AS Number etc.). Especially when we do network forensic analysis which aims to detect attack patterns and identify attackers. With help of IP geolocation, we can find geographic location of an IP address. There are many free services available on the internet as well as commercial ones which provide some sort of an API (Application Programing Interface) to their clients.
When you are googling for "What is my IP address?", It probably takes you to a site which is using that kind of API. I hear you are asking “Where does one of the API get geolocation of an IP address from?”. The answer is simple, from one or more RIRs (Regional Internet Registry). A RIR is a nonprofit organization that allocates IPv4, IPv6 and ASN (Autonomous System Numbers).
There are 5 RIRs in the world and they manage IP addresses for different regions. An organization called IANA (Internet Assigned Numbers Authority) actually oversees global IP address allocation and autonomous system number allocation and delegates the responsibilities of managing IP addresses to the 5 RIRs. You can see below which RIR is responsible for which region.
AFRINIC (African Network Information Center) serves Africa.
ARIN (American Registry for Internet Numbers) serves Antarctica, Canada, parts of the Caribbean, and the United States.
APNIC (Asia-Pacific Network Information Centre) serves East Asia, Oceania, South Asia, and Southeast Asia.
LACNIC (Latin America and Caribbean Network Information Centre) serves most of the Caribbean and all of Latin America.
RIPE (NCCThe Réseaux IP Européens Network Coordination Centre) serves Europe, Central Asia, Russia, and West Asia.
MaxMind is one of the platform that provides both commercial and free services which is supported by Wireshark.
Downloading MaxMind Geolocation Databases
MaxMind provides 3 free databases for geolocation. We can integrate these databases into Wireshark or we can use these databases for a specific application.
The steps to download are below.
Step-1: Create Account
Since MaxMind requires signing up to download the databases, we need to create an account. Visit the link below for signing up.
After account has been created, navigate to the link below to download databases.
Once opening the link (They frequently update the link), we will have options to download the geolocation data in many forms (.csv, mmdb, etc).
Step-2: Download MaxMind ZIP Files in mmdb format
Since Wireshark supports only mmdb format, we will download ZIP files which contain mmdb files. These databases can be used with Python, C#, Node, PHP and Ruby as well. MaxMind recommends using official client libraries to query their databases. With a few lines of code, you can get geolocation in your application too.
Create a directory and download the compressed (tar extension) files there. Wireshark can not use compressed files. Thus, we need to unzip them into the same directory. In the end, they must look like below in the directory.
Adding MaxMind Databases Path to Wireshark
Step-1: Access Wireshark Settings
Open Wireshark and go to Edit → Preferences.
Step-2: Load MaxMind Database into Wiresark
Preferences window pops up. We click on "Name Resolution" in the left pane. Then on the right, at the bottom of the window, there is an edit button which lets us to add MaxMind databases. Click on it, a small window comes up. Select your directory where your files are stored. Do not forget that files extension must be “.mmdb”. Wireshark will automatically load all files ending with that extension.
The visual steps are below.
Finding Geolocation of an IP
After setting the path, Wireshark will not show any geolocation information at once. Thus, we need to restart Wireshark then it will rescan the pcap file and show geolocation information in the IP headers. For better understanding:
- Open Wireshark and visit example.com.
- Once you see the packets for the site, stop capturing.
- Select any packet and expand its IP header. You should see some geolocation information in either source or destination IP.
- When packet source or destination IP is your local IP address, you will not see any geolocation information in the IP header, since your IP address is in the private scope.
Figure below shows my output.
We can see some nice details about geolocation of the destination IP address. MaxMind databases include information like City, Country, AS Number and even Latitude and Longitude. Sometimes, we may not see any geolocation information in an IP header at all. This is due to the databases not being up to date.
Mapping IP Address Locations
Imagine you have identified an attack pattern that attempts to exploit your web server and you wanted to see the attacker’s IP addresses on a map, which lets you to have a better perspective. That is what exactly Wireshark provides you with geolocation. Follow steps below to show geolocation information on a map.
From Statistics menu, click on Endpoints.
In the opening window, we can see Country, City, AS Number and AS Organization information for most of IP addresses. See my output below.
To see the location of the each IP address, from Endpoint window, click on Map → Open in browser.
A map of all IP addresses will open in your default browser. You can zoom in or out on the map to get the details you want. There are figures in each circle on the map which shows how many IP addresses are in that location.
See my map below.
Mapping IP address locations is useful when you are doing network forensic. Wireshark does not ship with any geolocation databases. Thus, when we need to use that feature, we have to add databases path to Wireshark. There is one important note that the database files must be in form of mmdb which is the only format Wireshark supports.
IP geolocation information may not %100 reliable. The accuracy depends on whether the databases are regularly updated or not. Beside that the databases should have a good coverage of IP addresses for a better result. Attackers, most of time, hide their IP addresses behind a proxy, a vpn or a NAT which decreases your chance to find the IP address real origin.