How to trace the Geolocation of network traffic

Posted on 2017-04-17 22:40  Pieces0310  阅读(382)  评论(0编辑  收藏  举报

A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files. Extract those archive files and put them into some directory.

 

Now goto [EDIT]->[Preference]

 

Click [Name Resolution] and [Edit] to setup the directory of GeoIP databases.

 

Click [New] to create a new entry.

 

 

Browse the directory to find where the GeoIP database files located.

 

Don't forget to click [OK] and restart wireshark.

 

 

Open a pcap file and click [Statistics]->[Endpoints]->[IPv4]

 

Take a look at [Country] and [City] and you will find where this malware has been.

 

Copyright © 2024 Pieces0310
Powered by .NET 8.0 on Kubernetes