±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36115
New Yesterday: 0 Visitors: 132

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

How to trace the Geolocation of network traffic

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

gorvq7222
Senior Member
 

How to trace the Geolocation of network traffic

Post Posted: Apr 18, 17 20:23

A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files. Extract those archive files and put them into some directory. You guys could take a look at my blog as below link:
www.cnblogs.com/pieces...25312.html  
 
  

athulin
Senior Member
 

Re: How to trace the Geolocation of network traffic

Post Posted: Apr 18, 17 20:59

- gorvq7222
A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files.


As the blog entry doesn't explain how, I can only assume that it's the free databases at dev.maxmind.com/geoip/.../geolite/.

The warning message on that site would have been useful to repeat:
IP geolocation is inherently imprecise. Locations are often near the center of the population. Any location provided by a GeoIP database should not be used to identify a particular address or household.

and a note on another page describing accuracy issues that:
IP geolocation is more accurate for broadband IP addresses and less accurate for cellular networks


And perhaps also note that the last time I checked on geoIP, using an IP address from my previous ISP, my location was reported as the city in which their corporate headquarters was located, whereas I was located some 600 kilometers away. I hope it was due to privacy concerns that location was reported that badly ... I expect it was ordinary corporate fumbling, however.  
 
  

MDCR
Senior Member
 

Re: How to trace the Geolocation of network traffic

Post Posted: Apr 18, 17 22:27

Good luck tracking down mobile internet users to a geological position. Or TOR/VPN users.

I am regularly doing nslookup on my IP address and sometimes it says Slovakia or Iran, because the registrars do not update their address assignment. Also some IPv4 addresses are shared across the globe during different timezones.

Best way i've found is to track the location by doing a traceroute, then locating each ip from the source, stepping out from the original ip by one step at a time. But even that can be an inexact method.  
 
  

jaclaz
Senior Member
 

Re: How to trace the Geolocation of network traffic

Post Posted: Apr 18, 17 23:00

- athulin

And perhaps also note that the last time I checked on geoIP, using an IP address from my previous ISP, my location was reported as the city in which their corporate headquarters was located, whereas I was located some 600 kilometers away. I hope it was due to privacy concerns that location was reported that badly ... I expect it was ordinary corporate fumbling, however.

Well, a few people in the US (Kansas and Las Vegas) had bigger issues with IP Geolocation, JFYI Wink :
nakedsecurity.sophos.c...eir-house/

nakedsecurity.sophos.c...precisely/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

Rameez
Newbie
 

Re: How to trace the Geolocation of network traffic

Post Posted: Sep 03, 19 12:42

There are a number of IP geolocation API services available in the market but i would prefer IP geolocation API service to trace the geolocation of network traffic as it has rich database, high accuracy (99% at the country level and 75% at the city level), least latency and price economical, etc. It provides country, city, state, province, local currency, latitude and longitude, company detail, ISP lookup, language, zip code, country calling code, timezone, current time, sunset and sunrise time, moonset and moonrise time from any IPv4 and IPv6 address in REST, JSON and XML format over HTTPS.

For more detail, visit the website www.ipgeolocation.io.

Regards,  
 
  

jaclaz
Senior Member
 

Re: How to trace the Geolocation of network traffic

Post Posted: Sep 03, 19 15:17

- Rameez
... local currency ... moonset and moonrise time from any IPv4 and IPv6 address ...

Wow, great Shocked , next time there will be an investigation on mercenary werewolves on the 'net Rolling Eyes this resource will prove invaluable.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

athulin
Senior Member
 

Re: How to trace the Geolocation of network traffic

Post Posted: Sep 03, 19 16:10

- Rameez
... but i would prefer IP geolocation API service to trace the geolocation of network traffic as it has rich database, high accuracy (99% at the country level and 75% at the city level), least latency and price economical, etc.


That statement sounds as if it is based on some kind of study. Could you provide information about where this study was published? Or, in the absence of a study (or perhaps I should say, an independent study), how the accuracy estimates were derived, and what max and average errors they exhibit?  
 

Page 1 of 2
Page 1, 2  Next