A case about suspicious malware App. A forensic examiner capatured some pcap files and he'd to know where the desitnation is. Let me show you how to solve it with wireshark. First you have to download GeoIP database files. Extract those archive files and put them into some directory.
Now goto [EDIT]->[Preference]
Click [Name Resolution] and [Edit] to setup the directory of GeoIP databases.
Click [New] to create a new entry.
Browse the directory to find where the GeoIP database files located.
Don't forget to click [OK] and restart wireshark.
Open a pcap file and click [Statistics]->[Endpoints]->[IPv4]
Take a look at [Country] and [City] and you will find where this malware has been.
