HowTo Geolocate Network Packet Capture Data: Difference between revisions

From MediaWiki
Jump to navigationJump to search
Line 48: Line 48:
* '''[http://www.wireshark.org/docs/man-pages/tshark.html tshark] Display Filter Expression:''' Apply a display filter to isolate or limit the amount of network traffic to geolocate.
* '''[http://www.wireshark.org/docs/man-pages/tshark.html tshark] Display Filter Expression:''' Apply a display filter to isolate or limit the amount of network traffic to geolocate.


* '''Advanced Decode Options:''' Use an advanced decode preference option like: "'''-o ip.use_geoip:TRUE'''" to allow geolocate display filter expressions (e.g., ).
* '''Advanced Decode Options:''' Use an advanced decode preference option like: "'''-o ip.use_geoip:TRUE'''" to allow geolocate display filter expressions (e.g., '''ip.geoip.lat > "66.5"''').


[[Image:Single_packet_capture_decode.png|center|frame|Single-Tap Network Packet Capture Text-Based Decode Section]]
[[Image:Single_packet_capture_decode.png|center|frame|Single-Tap Network Packet Capture Text-Based Decode Section]]

Revision as of 12:44, 12 October 2010

***Note: Page Under Construction***


Overview

This HowTo explains the procedure for geolocating IPv4 Address Conversations using the NST WUI and rendering the results on either a Mercator World Map projection or on a KML Earth Browser such as Google Earth, Google Maps or Marble.

There are a couple of items to consider prior to starting IPv4 Address Conversations geolocation. First, does the network packet capture make sense to use for geolocation. The list below are packet capture characteristics that would not be considered desirable for geolocation:

  • No IPv4 Addresses exist in the capture file. Results: No geolocations would be rendered.
  • All hosts in the capture file are located at the same physical location. Results: Geolocations would appear at a single point.
  • All hosts are Private IP Addresses with no associated geolocation database information. Results: No geolocations would be rendered. Note: This condition can be corrected, see section: IP Geolocation Database & Adjustments.

Secondly, has a geolocation database been configured for your NST probe. This includes the addition of configuring any Private IPv4 Addresses or Network geolocation information, see section: IP Geolocation Database & Adjustments.

Geolocate IPv4 Address Conversations

IP Geolocation Database & Adjustments

Make sure that a geolocation database has been configured for your NST probe prior to attempt to use IPv4 Address Conversations geolocation. Use the ' IP Geolocate Configure' button shown below to manage the global geolocation policy for the NST system. This allows one to make latitude and longitude coordinate adjustments, configure Private IPv4 Addresses & Network coordinate locations and select a geolocation database source. In addition, one can also download and manage the MaxMind "GeoIP Country Edition", the enhanced "GeoIP Lite City Edition" and the "GeoIP AS Number Edition" data sets.

Network Packet Capture Text-Based Protocol Analyzer Decode

Both the NST WUI Single-Tap and Multi-Tap Network Packet Capture implementation support the ability to geolocate an IPv4 Address Conversation List derived from a tshark decode. Once a capture file is available for decode analysis, you can then perform IPv4 Address Conversation List geolocations. The caption below shows the Text-Based Protocol Analyzer Decode section for the Single-Tap Network Packet Capture implementation with the Advanced Decode Protocol Analyzer Options folder expanded. One can use the "Conversations - World Map" button to render IPv4 Address Conversations on a Mercator World Map bit image or the "Conversations - KML" button to render the IPv4 Address Conversations on an Earth Browser like Google Earth.

Geolocate Mercator World Map Conversation List Options

The following options are available when generating an IPv4 Address Conversations Mercator World Map:

  • Mark Type: Select either a "point", "plus sign" or a "star" as the marker symbol.
  • Mark Color: Select the marker symbol color from a set of predefined colors.
  • Connect Conversation Lines: If selected, a line between each conversation host endpoint will be drawn. If unselected, just plot the hosts that can be geolocated from the network packet capture.
  • Conversations Annotation: Use this text field to describe the IPv4 Address Conversations Mercator World Map. If omitted, the capture note associated with the capture file will be used.

Geolocate KML Conversation List Options

The following options are available when generating an IPv4 Address Conversations KML document for rendering on Google Earth:

  • Conversation Line Width: Select a fixed conversation line width from 1 to 10 pixels. One can also select the value: "graduated" to set each conversation line width based on the total sent and received network traffic for the conversation.
  • Conversations Annotation: Use this text field to describe the IPv4 Address Conversations KML document. If omitted, the capture note associated with the capture file will be used.

Geolocate Conversation List Options

The following options are available when geolocating an IPv4 Address Conversation list using the tshark Protocol Analyzer.

  • Name Resolve: Provide network name resolution for each host in the capture file.
  • tshark Display Filter Expression: Apply a display filter to isolate or limit the amount of network traffic to geolocate.
  • Advanced Decode Options: Use an advanced decode preference option like: "-o ip.use_geoip:TRUE" to allow geolocate display filter expressions (e.g., ip.geoip.lat > "66.5").
Single-Tap Network Packet Capture Text-Based Decode Section


The screen shot below shows the tool tip for the "Conversations - World Map" button located in the "Specialized tshark Decode Output Formats" section.

Single-Tap Network Packet Capture Text-Based Decode Section With The "Conversations - World Map" Tool Tip Shown