XPLICO Tool for Network Forensic

Xplico is a project released under GPL that decodes packet captures (PCAP), extracting the likes of email content (POP, IMAP, and SMTP protocols), all HTTP content, VoIP calls (SIP), IM chats, FTP, TFTP, and many others. It can be used on platforms with an embedded ARM core processor or typical multi-core serv­ers, making optimal use of available resources.

” The project team is currently finishing the development of:

  • Web MSN dissector and manipulator
  • VoIP MGCP dissector
  • SMB dissector
  • Web Yahoo! chat dissector and manipulator
  • Improvements to the Python3 script

Currently you can find Xplico included in BackTrack, DEFT Linux, Orion, GnackTrack, Security Onion, and other similar Live CD/ DVD distributions. If you wish to roll Xplico from source or work through your own installation options with the Debian/Ubuntu package, You can download the bits from SourceForge.

After installation you can Login to Xplico via a browser http://<XplicoHost>:9876 the default username and password are xplico/xplico while User administrator: admin/ xplico you start by changing the password.” (1)

At this point we can create a new case. In Xplico the case coincides with listening point (capture point in the network), this because the Xplico system (decoding manager, decoder, manipulators..) try to correlate the data extracted, to:

  • emulate browser cache
  • reconstruct P2P files (downloaded in many days)
  • reconstruct files downloaded with tool

For every case we have to define:

  • a name (Unique is better)
  • the source of data, or whether from files or from network interface
  • Optionally an external reference. This external reference can help you to locate the repository of this new case.

The email page presents a list of all emails sent and received:

Entering in Web menu we can view all HTTP contents of the session. We can select or search content:

You can even have a Geomap as Xplico produces a KML file, this file, used with Google Earth, allow you to have a temporal and geographical map of connections decoded by Xplico:

Xplico is not a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Reference:

(1) Russ McRee article about Xplico for ISSA Journal. PDF file can be downloaded here.

make sure you subscribe to my RSS feed!

Share
You can leave a response, or trackback from your own site.
  • Pingback: XPLICO Tool for Network Forensics | National Cyber Security