±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35628
New Yesterday: 3 Visitors: 134

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

How to trace the Geolocation of network traffic

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

gorvq7222
Senior Member
 

How to trace the Geolocation of network traffic

Post Posted: Apr 18, 17 20:23

A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files. Extract those archive files and put them into some directory. You guys could take a look at my blog as below link:
www.cnblogs.com/pieces...25312.html  
 
  

athulin
Senior Member
 

Re: How to trace the Geolocation of network traffic

Post Posted: Apr 18, 17 20:59

- gorvq7222
A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files.


As the blog entry doesn't explain how, I can only assume that it's the free databases at dev.maxmind.com/geoip/.../geolite/.

The warning message on that site would have been useful to repeat:
IP geolocation is inherently imprecise. Locations are often near the center of the population. Any location provided by a GeoIP database should not be used to identify a particular address or household.

and a note on another page describing accuracy issues that:
IP geolocation is more accurate for broadband IP addresses and less accurate for cellular networks


And perhaps also note that the last time I checked on geoIP, using an IP address from my previous ISP, my location was reported as the city in which their corporate headquarters was located, whereas I was located some 600 kilometers away. I hope it was due to privacy concerns that location was reported that badly ... I expect it was ordinary corporate fumbling, however.  
 
  

MDCR
Senior Member
 

Re: How to trace the Geolocation of network traffic

Post Posted: Apr 18, 17 22:27

Good luck tracking down mobile internet users to a geological position. Or TOR/VPN users.

I am regularly doing nslookup on my IP address and sometimes it says Slovakia or Iran, because the registrars do not update their address assignment. Also some IPv4 addresses are shared across the globe during different timezones.

Best way i've found is to track the location by doing a traceroute, then locating each ip from the source, stepping out from the original ip by one step at a time. But even that can be an inexact method.  
 
  

jaclaz
Senior Member
 

Re: How to trace the Geolocation of network traffic

Post Posted: Apr 18, 17 23:00

- athulin

And perhaps also note that the last time I checked on geoIP, using an IP address from my previous ISP, my location was reported as the city in which their corporate headquarters was located, whereas I was located some 600 kilometers away. I hope it was due to privacy concerns that location was reported that badly ... I expect it was ordinary corporate fumbling, however.

Well, a few people in the US (Kansas and Las Vegas) had bigger issues with IP Geolocation, JFYI Wink :
nakedsecurity.sophos.c...eir-house/

nakedsecurity.sophos.c...precisely/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 

Page 1 of 1