This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I only filter data/ip’s from a specific country?

0

How do I only filter data/ip's from a specific country? To keep this short: I want to specifically only display ip's and packet data from India, not filter it out. I am unable to find anything on how to do this.

asked 19 Nov '16, 15:13

Jacob%20G's gravatar image

Jacob G
6112
accept rate: 0%


One Answer:

0

Enable GeoIP lookups on IP and (display) filter ip.geoip.src_country == "India"

answered 19 Nov '16, 16:19

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Please also take a look at two tutorials on how to attach GeoIP databases to Wireshark:

http://www.lovemytool.com/blog/2014/10/wireshark-and-geoip-by-betty-dubois.html

https://www.youtube.com/watch?v=fX3hllaCFl8

(20 Nov '16, 00:39) Packet_vlad

...and also bear in mind that as some intentional and unintentional source IP obfuscating schemes exist, GeoIP only tells you where the device with public IP which has sent the packet is located, not where the user is located. There may be a branch office in India with a VPN to the headquarters in U.S. and all the traffic from the branch office may get to the internet via the HQ, and you may also have a reverse scheme with the HQ in India and the branch office in the U.S.

To make things even more complex, some people use VPNs to reach "obfuscation gateways" for public use if they want to prevent their network administrator from seeing where they browse.

(20 Nov '16, 01:32) sindy