Wireshark
 
 
what is wireshark ?
Wireshark is the world's most popular network protocol analyzer. It has a rich and powerful feature set and runs on most computing platforms including Windows, OS X, Linux, and UNIX. Network professionals, security experts, developers, and educators around the world use it regularly. It is freely available as open source, and is released under the GNU General Public License version 2.
 
 www.wireshark.org
 
 

filters
 
 Capture Filters (cfilters)
 Display Filters (dfilters)
 

Help
 
 Wireshark Docu (PDF)
 Wireshark Developers Docu (PDF)
 

download
 
 www.wireshark.org
 

Wireshark GeoIP
 
Newer Version (>1.2.3) of wireshark supports the Import of GeoIP Database, that means, you can create a map, with the Internet IP's
Download the GeoIP Files from maxmind.com
http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz
http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz
http://geolite.maxmind.com/download/geoip/database/asnum/GeoIPASNum.dat.gz
Unpack it in to a directroy: (Exsample: /usr/local/share/geoip)
Config in wireshark Edit-> Preferences -> Name Resolutions the Dire ctory of the GeoIP Databases
After this, you see in Statistics -> Endpoint in the IPv4 the Endpoints ; ASNummer and you can create a Map
 
You can also create filters with GeoIP
 ip and not ip.geoip.country == "United States" 
  ip.geoip.lat > "66.5" 

Usefull Infos
 
 Advanced Scripting and CLI Usage with tshark
 
(c) 2009 by packetlevel.ch / last update: 13.10.2009