Import Geo IP Data in to Wireshark

Ever looked at a packet trace and wondered where all those network connections are coming from, or where they’re headed, without having to query each IP one by one?

Wireshark has you covered. Whether from a live capture or an imported file (say, from a Zyxel firewall), it can generate a clean, visual map of the traffic, like the example below.

This is the standard log output from a Zyxel, nothing exciting, honest. Ignore 192.168.0.247 attempting to establish a UDP port 500 Isakmp to somewhere not local to query time.

Enable a packet capture from the Diagnostic section and capture, add at least the external facing port, wan1. Once the capture has run for a while, stop and then export the files to the local computer where Wireshark is installed.

Sign up to MaxMind.com, it's free to download the GeoLite2 Geo Data.

https://dev.maxmind.com/geoip/geolite2-free-geolocation-data?lang=en

At the bottom of the 'Products' list select 'GeoLite2 Free Geolocation Data' or click the link below.

https://www.maxmind.com/en/accounts/699472/geoip/downloads

Download the 3 zip files, GeoLite2 ASN, GeoLite2 City and GeoLite2 Country. Unpack and more to a common directory.

Open Wireshark, File, Open and select the Zyxel packet capture to import.

To import the Geo-Location data, select 'Edit' then 'Preferences'.

Select 'Name Resolution' and scroll to the bottom of the page.

Select 'Edit' for MaxMind Database Directories.

Set the location for the unpacked files.

To view the map, select 'Statistics' then 'Endpoints'.

Select IPv4 or a tab with a number.

At the bottom of the page, select 'Map' and then 'Open in Browser'.

That's it.... done