I’ve recently saw a presentation by Stefano Fratepietro project leader of DEFT Linux, a live CD dedicated to the world of Computer Forensics, among the many interesting things shown in this presentation (expect a test drive Linux DEFT) there was also a small presentation of Xplico , a tool used to analyze a captured network session.
So what’s Xplico ?
From the forensic wiki
The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract all application data content from a network capture (pcap file or real-time acquisition). For example, Xplico is able to extract all e-mails carried by the POP and SMTP protocols, and all content carried by HTTP protocol from a pcap file.
Xplico is released under the GNU General Public License.
So the goal of Xplico is extract from a captured internet traffic the applications data contained. To do it Xplico support a large serie of plugins that can “decode” the network traffic, for example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on.
As further example Xplico can build a .mp3 file from a SIP call, and with this audio file you’ll be able to listen the full conversation.
Xplico can be used with a web interface that allows you to create new cases, upload new filesor display any material decoded.
The Xplico Interface is developed in PHP and it is based to CakePHP framework. This interface can use or SQLite database or MySQL database, at the moment only SQLite dispatcher is completed and tested in Xplico decoder.
MySQL database dispatcher and XI configuration file for MySQL can be obtained from iSerm.
As alternative Xplico can be used also in console-mode, this permit you to decode a single pcap file, directory of pcap files or decode in real-time from an ethernet interface (eth0, eth1, …).
- Protocols supported: HTTP, SIP, IMAP, POP, SMTP, TCP, UDP, IPv6, …;
- Port Independent Protocol Identification (PIPI) for each application protocol;
- Output data and information in SQLite database or Mysql database and/or files;
- At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
- Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer -RAM, CPU, HD access time, …-);
- TCP reassembly with ACK verification for any packet or soft ACK verification;
- Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
- No size limit on data entry or the number of files entrance (the only limit is HD size);
- IPv4 and IPv6 support;
- Modularity. Each Xplico component is modular. The input interface, the protocol decoder (Dissector) and the output interface (dispatcher) are all modules;
- The ability to easily create any kind of dispatcher with which to organize the data extracted in the most appropriate and useful to you;