How to trace the Ge...
 
Notifications
Clear all

How to trace the Geolocation of network traffic

8 Posts
6 Users
0 Likes
1,521 Views
(@gorvq7222)
Posts: 229
Reputable Member
Topic starter
 

A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files. Extract those archive files and put them into some directory. You guys could take a look at my blog as below link
http//www.cnblogs.com/pieces0310/p/6725312.html

 
Posted : 18/04/2017 8:23 pm
(@athulin)
Posts: 1156
Noble Member
 

A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files.

As the blog entry doesn't explain how, I can only assume that it's the free databases at http//dev.maxmind.com/geoip/legacy/geolite/.

The warning message on that site would have been useful to repeat

IP geolocation is inherently imprecise. Locations are often near the center of the population. Any location provided by a GeoIP database should not be used to identify a particular address or household.

and a note on another page describing accuracy issues that

IP geolocation is more accurate for broadband IP addresses and less accurate for cellular networks

And perhaps also note that the last time I checked on geoIP, using an IP address from my previous ISP, my location was reported as the city in which their corporate headquarters was located, whereas I was located some 600 kilometers away. I hope it was due to privacy concerns that location was reported that badly … I expect it was ordinary corporate fumbling, however.

 
Posted : 18/04/2017 8:59 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

Good luck tracking down mobile internet users to a geological position. Or TOR/VPN users.

I am regularly doing nslookup on my IP address and sometimes it says Slovakia or Iran, because the registrars do not update their address assignment. Also some IPv4 addresses are shared across the globe during different timezones.

Best way i've found is to track the location by doing a traceroute, then locating each ip from the source, stepping out from the original ip by one step at a time. But even that can be an inexact method.

 
Posted : 18/04/2017 10:27 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

And perhaps also note that the last time I checked on geoIP, using an IP address from my previous ISP, my location was reported as the city in which their corporate headquarters was located, whereas I was located some 600 kilometers away. I hope it was due to privacy concerns that location was reported that badly … I expect it was ordinary corporate fumbling, however.

Well, a few people in the US (Kansas and Las Vegas) had bigger issues with IP Geolocation, JFYI wink
https://nakedsecurity.sophos.com/2016/08/11/couple-sue-over-ip-glitch-that-repeatedly-sent-feds-to-their-house/

https://nakedsecurity.sophos.com/2013/01/18/the-man-who-steals-all-the-phones-in-las-vegas-pinpointed-precisely/

jaclaz

 
Posted : 18/04/2017 11:00 pm
(@rameez)
Posts: 1
New Member
 

There are a number of IP geolocation API services available in the market but i would prefer IP geolocation API service to trace the geolocation of network traffic as it has rich database, high accuracy (99% at the country level and 75% at the city level), least latency and price economical, etc. It provides country, city, state, province, local currency, latitude and longitude, company detail, ISP lookup, language, zip code, country calling code, timezone, current time, sunset and sunrise time, moonset and moonrise time from any IPv4 and IPv6 address in REST, JSON and XML format over HTTPS.

For more detail, visit the website www.ipgeolocation.io.

Regards,

 
Posted : 03/09/2019 12:42 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

… local currency … moonset and moonrise time from any IPv4 and IPv6 address …

Wow, great 😯 , next time there will be an investigation on mercenary werewolves on the 'net roll this resource will prove invaluable.

jaclaz

 
Posted : 03/09/2019 3:17 pm
(@athulin)
Posts: 1156
Noble Member
 

… but i would prefer IP geolocation API service to trace the geolocation of network traffic as it has rich database, high accuracy (99% at the country level and 75% at the city level), least latency and price economical, etc.

That statement sounds as if it is based on some kind of study. Could you provide information about where this study was published? Or, in the absence of a study (or perhaps I should say, an independent study), how the accuracy estimates were derived, and what max and average errors they exhibit?

 
Posted : 03/09/2019 4:10 pm
watcher
(@watcher)
Posts: 125
Estimable Member
 

If you cannot do live traceroutes, consider location data to be useful but suspect.

 
Posted : 05/09/2019 4:51 pm
Share: