GeoIP is a technology developed by MaxMind group. It uses GeoLocation technology. Geolocation is the identification of the real-world geographic location of an Internet-connected computer, mobile device, website visitor or other. IP address geolocation data can include information such as country, region, city, postal/zip code, latitude, longitude and timezone. Geolocation may refer to the practice of assessing the location, or to the actual assessed location, or to locational data. This technology can be crucial while tracing back an attack on your network. Or if you want to monitor the web usage trend based on the locations. Its an experimental feature in wireshark, its a nice feature to have. This feature is available only in Wireshark 1.2 1.First thing to do is to get the GeoIP Database Files 2. www.maxmind.com-> Click on GeoLocation technology 3. on the right hand side, there is an area for "Free and Open Source Databases and services" download geolite country [ http://www.maxmind.com/app/geolitecountry ] geolite city [ http://www.maxmind.com/app/geolitecity ] geolite asn[ autonomus system number] [ http://geolite.maxmind.com/download/geoip/database/asnum/ ] All the files mentioned above have been attached to this article as a zip file. 4. After downloading the zip files, extract them to a common location. e.g. e:\GeoIP 5. in Wireshark 1.2, click on Edit->Preferences 6. click on name resolution 7. at the bottom, you will see a button "GeoIP Database Directories" 8. click on that button 9. then click on add path name 10. Click on OK and then OK again 11. restart wireshark now visit a website: - www.braziltour.com in wireshark, click on Statistics->Endpoints select the IPv4 tab now you can notice that on the right hand side, you have the City, country and the ASN numbers listed for every packet transaction. Click on the Map Button [Internet Connection is required for this step] it creates an html file by the name ipmap.html in the temp directory aling with ipmap.txt in the window, there is a map button at the botton
You can use the ip.geoip display filters to filter traffic.
Exclude Brazil-based traffic:
ip and not ip.geoip.country == "Brazil"