Ok so I’ve seen quite a few people ask how you can get a scammers IP address using wireshark. And so I thought I would share a tutorial on how to do it. Now for this tutorial you’re going to need Wireshark and 3 other files. GeoLite2 City, GeoLite2 Country, and GeoLite2 ASN. You’re going to need to download the MaxMind DB binary can version can be found here (MaxMind Server IP Addresses) after you’ve done that, then we can get started.
You might be wondering what someone could do with an IP address and there is quite a bit. See the first thing is someone can “turn the router into a toaster oven”. Second option some would be grey hat would have is break into the router itself putting the IP as a URL and seeing if it brings them to the router login portal. And yes that does happen. And if perhaps this person was really good, they could scan ports and see if any are open. And see what services are running. And possibly being able to gain administrative access to the router through that way. A more simple use would be just to see where the scammer is located (https://check-host.net) is a good site for that.
Now honestly Im kinda lazy and dont feel like writing an essay so here is the video I used GeoIP With Wireshark - YouTube
Video isnt made by me btw. But yeah once you have GeoIP set up, you are now ready to bait a scammer. Now note that not all remote connection software shows the IP of the person who connects. So I’ve made a list of the ones that do and dont show IP.
TeamViewer: Shows IP
Anydesk: Shows IP
Logmeinrescue: Shows IP
Gotoassist: Does not show IP