Updated: Jun 30
Ever wondered or needed to know where all those network connections originate from or terminate in an IP packet trace without querying individual IPs???
Wireshark can provide a map either from a Wireshark packet capture or an import from another source eg Zyxel Firewall, producing the lovely-looking map below.
This is the standard log output from a Zyxel, nothing exciting, honest. Ignore 192.168.0.247 attempting to establish a UDP port 500 Isakmp to somewhere not local to query time.
Enable a packet capture from the Diagnostic section and capture, add at least the external facing port, wan1. Once the capture has run for a while, stop and then export the files to the local computer where Wireshark is installed.
Sign up to MaxMind.com, it's free to download the GeoLite2 Geo Data.
At the bottom of the 'Products' list select 'GeoLite2 Free Geolocation Data' or click the link below.
Download the 3 zip files, GeoLite2 ASN, GeoLite2 City and GeoLite2 Country. Unpack and more to a common directory.
Open Wireshark, File, Open and select the Zyxel packet capture to import.
To import the Geo-Location data, select 'Edit' then 'Preferences'.
Select 'Name Resolution' and scroll to the bottom of the page.
Select 'Edit' for MaxMind Database Directories.
Set the location for the unpacked files.
To view the map, select 'Statistics' then 'Endpoints'.
Select IPv4 or a tab with a number.
At the bottom of the page, select 'Map' and then 'Open in Browser'.
That's it.... done