Wireshark-dev: [Wireshark-dev] [GeoIP] New map of IP locations

From: Ulf Lamping <ulf.lamping@xxxxxx>
Date: Sun, 15 Feb 2009 11:26:27 +0100

The new Wireshark "IP Location Map"!

Wireshark can now open a (local) web map page, that displays the geolocations of captured IP addresses. I've attached a screenshot how this looks like.

What you'll need:
a) An Internet connection
Please note: This mechanism will NOT transfer any sensitive data to the internet!

b) Wireshark can open the webbrowser
the menu item Help/Website should open a webpage

c) Webbrowser must have javascript enabled

d) The GeoIP databases must be installed (see below)

Prepare GeoIP databases:
e) Download the GeoIP database files:

f) Put the UNZIPPED files GeoIP.dat, GeoIPASNum.dat and GeoLiteCity.dat somewhere into one folder, e.g. into c:\GeoIP

g) Set the "GeoIP database directories" setting in the Preferences "Name Resolution" page to the above dir

To try it:
l) Load a capture file into wireshark that contains IP addresses from all over the world :-)

m) Open Statistics/Endpoints and select the IPv4 tab

n) make sure you see some geolocation details (like City, Latitude, ...) already displayed here. It's ok, if not all rows show geo details, e.g. the 192.168... addresses are not locatable.

o) Click on the (now enabled) Map button

p) Your webbrowser should open now, displaying a map with markers for all known IPaddress locations

r) You can zoom/pan the map

s) You can click on each marker to get some more details

What happens behind the scenes ...
1) If you click the Map button, a file named ipmap.txt will be created in the temp folder. The ipmap.txt is basically a "tab seperated value" file containing the IP details needed for the map.

2) The file ipmap.html will be copied from the program(data?) to the temp folder.

3) Now Wireshark opens the webbrowser, loading the file ipmap.html

4) The javascript code in ipmap.html will load javascipt files from http://www.openlayers.org and http://www.openstreetmap.org and then show the openstreetmap graphics and the "ipmap.txt markers" layer above it.

5) ipmap.html and ipmap.txt will remain in the temp folder.

This is experimental, I would be interested if this also works on the unix part of the world ;-)

In case of any problems, the interesting code is in gtk/hostlist_table.c in the function open_as_map_cb(), starting at line 591.

Regards, ULFL

PNG image