WireShark is a free and open-source packet analyzer. It can be used to check for network attacks or to troubleshoot networking issues. Meanwhile, MMDB is a database format created by MaxMind for IP lookup. Inside WireShark, there is an option to retrieve IP geolocation data using the MMDB IP database. In this article, we’ll explore how to use IP2Convert Geolocation File Format Converter to read data from IP2Location LITE DB9 IPv6 CSV file and generate the corresponding GeoLite2 City MMDB file.
So why the need for conversion?
Wireshark natively supports the MMDB format from MaxMind for geolocation services. However, if you want to use an alternative geolocation service like IP2Location, there is no external plugin available for integration. The only method would be via the MMDB data file. Therefore, this tutorial provides a workaround to convert the IP2Location CSV file into MMDB format so it can be used by WireShark with the geolocation function turned on.
Let’s get started with our guide for the conversion.
Installing WireShark
First and foremost, you will need to have WireShark installed on your system. In our case, we are doing the conversion using our Windows 11 machine, hence the steps will be more Windows-specific. Do note however that WireShark can also be used in Linux or macOS. You can just change the steps for the platform you are using. We’ll download WireShark from https://www.wireshark.org/download.html and install it in our Windows 11.
Download the IP2Convert tool
Now, we’ll download the free IP2Convert tool from GitHub at https://github.com/ip2location/ip2convert/releases/latest where we will get the windows_amd64 version. Remember to download the version specific to your platform. Extract the .exe file into a folder. In our case, we’ll use C:\TestWireShark\ as our folder to store the IP2Convert executable.
Download the IP2Location LITE DB9 IPv6 CSV
Download the IP2Location LITE DB9 IPv6 CSV file which you can download for free after signing up for an account. Extract the file IPV6-COUNTRY-REGION-CITY-LATITUDE-LONGITUDE-ZIPCODE.CSV from the downloaded zipped file and save it to the same folder as above.
Your TestWireShark folder should now look like the below:
In our case, the latest version of the IP2Convert at the point of writing is 1.2.1 so that’s what you’ll see above. To make it easier to type, let's rename the .exe to ip2convert.exe so that we don’t have to type so long in the next steps.
Let’s generate the MMDB file
Open a Command Prompt window and navigate to the TestWireShark folder.
cd C:\TestWireShark
Then run the below command to perform the CSV to MMDB conversion.
ip2convert csv2mmdb -t city -i IPV6-COUNTRY-REGION-CITY-LATITUDE-LONGITUDE-ZIPCODE.CSV -o DB9IPV6.mmdb
The -t parameter is to specify that we want to generate the GeoLite2 City MMDB while the -i and -o are used to specify the input CSV file and output MMDB file.
Launch WireShark and configure the IP geolocation function
Launch WireShark then click on “Edit” in the menu bar. Click on “Preferences”.
You should now see the Preferences window. Click on “Name Resolution” on the left hand side. There are a couple of settings we need to set. Make sure the “Enable IP geolocation” checkbox is checked. Next, click on “Edit” next to the “MaxMind database directories”.
Add the folder that we’ve created above into the list. Then click on OK.
Select the network adapter to capture traffic
You can double click on the network adapter that you want to capture the network traffic from. In our example, it’s “Ethernet 2”.
Start the network traffic capture
Click the start capture button and you should start seeing a bunch of traffic coming and going from the adapter you’ve selected.
Take a look at the inline geolocation data
Once you’ve captured enough traffic, we can stop the capture and delve into the IP geolocation data. Let’s click on one of the lines of traffic and expand the “Internet Protocol Version 6” section so we can see the IP geolocation for the traffic source & destination.
We can see that the source of the traffic is Sydney, Australia while the destination is Kuala Lumpur, Malaysia.
See the geolocation for all endpoints
That’s just 1 line of traffic. Now, let’s go to the Endpoints window to view all of the geolocation traffic. In the menu, click on “Statistics” and then click on “Endpoints”.
Inside, you’ll see the below. Just click on the IPv4 or IPv6 tab and you can view all of the IP geolocation data. Pretty good way to quickly scan for potential issues.
View the geolocations on a map
Looking at the list of locations is useful for troubleshooting and security purposes. But, sometimes you want to have a nice visual representation of the locations. That’s what the map feature is for. With the locations plotted on a map, you can easily discern if the traffic is coming from specific regions. Click on “Map” then click on “Open in browser”.
All of the geolocation is now shown in the map below. Pretty interesting and useful.
Bonus Tip: Filtering the traffic by geolocation
Let’s close the Endpoints window and take another look at the main capture window. The data, while useful, certainly could use some filtering to make more sense. Say that I want to see traffic to Dublin. We can easily right-click on the city name and click “Prepare as Filter” then click “Selected”.
You’ll now see the filter created near the top of the window. Press the arrow at the end of the green bar and you’ll see the filtering being applied.
Now, you’ll only see traffic that matches the filter which is Dublin, Ireland as the destination.
Conclusion
Hope you’ve found our little guide for using IP2Convert to create MMDB files and using them in WireShark to be useful in your day-to-day operations. With IP2Convert, you now have the flexibility to deploy IP geolocation data from IP2Location and use them wherever MMDB is supported. We’ve shown you how to use the generated MMDB in WireShark but you could potentially use the MMDB files in other applications that utilizes MMDB files for geolocation.
Disclaimer
MaxMind and GeoIP are registered trademarks of the MaxMind, Inc.
Wireshark and the “fin” logo are registered trademarks of the Wireshark Foundation.
IP2Location and IP2Proxy are registered trademarks of Hexasoft Development Sdn. Bhd.
For more tutorials, please visit IP2Location IP Gelocation
Where can I find free IP Geolocation API?
Where can I get free IP Geolocation database?
Top comments (0)