We usually need to create an executive report when we are involved in an incident handling. In these cases, a good option could be to include in it a world map with the connections which were established in the incident. Maybe we are interested in showing on a map where the command an control servers are hosted or for example to show which countries the distributed denial of service came from...

To achieve this purpose I am going to show you how to create a map using Wireshark. The last Wireshark version 1.10.2 will be used in this guide.

The first thing we need to do is to  download the GeoIP database: GeoLite City, Country, and ASNum from the link below: http://geolite.maxmind.com/download/geoip/database/ (free download).



Then, we need to put into a folder the files contained in the downloads above, for example "C:\Geoip".


Now, we need to tell Wireshark where the GeoIP files are. To achieve this, we need to open Wireshark and go to Edit -> Preferences - > Name Resolution and click on Edit in the "GeoIP database directories" section...


... and create a New path where the files were saved, in this case "C:\Geoip".


It is necessary to restart Wireshark in order to apply the changes. Now, we only need to load a PCAP file or create a new traffic capture. When we have all the traffic captured and we want to create the map with the connection involved in the incident, we need to go to Statistics -> Endpoints...


... select the IPv4 tab and click on the map bottom. Notice that if for example you have set a filter in Wireshark only with the UDP connections which are related to the malware, you can select "Limit to display filter" in order to only print these connections on the map. Then you click on map.


Finally, we have a dynamic map complete connections on the map. In this case, I've used the PCAP file related to the attack to php.net which can be downloaded from the Barracuda website here.