Xplico

If you search a connection scrambler for Linux that Xplico is not able to recognize, then take a look at SniffJoke 0.3.

This release introduce the MMS dissector. With this dissector it is possible to reconstruct the MMS message transported by HTTP protocol and extracts the media contained. With the new release of  Web interface it is possible to view photos, texts and videos contained in MMS messages.

In this release of Xplico we have introduced the generations of geographical and temporal map of data rebuilding by Xplico. This feature named GeoMap can be used both with console mode and Web interface. The files generated by GeoMap are kml files an can be used with Google Earth. To allow the visualization of the connections whose source is a private IP address, we have decided that the private IP address are located  in Venice (this is a temporary solution).

We have to thank:

• Collin Richard Mulliner for your mms messages
• Kowsik Guruswamy for your Cap’r Makr’ tool, and for your very fast support
• SecViz for inspiration of GeoMap
• MaxMin for your open source GeoIP library
• Wireshark team for… ALL

An example of MMS over HTTP you can find here.This pcap was generated with Cap’r Makr’ and with the mms of Flavio Poletti.

Any bug reports or suggestions are welcome.

If you sniff, with tcpdump or other tools, all Gmail traffic (before login) and you give this capture to Xplico using Web interface, then you can view the emails of Gmail, even if you have not read the email (this is true only for the first emails on the list).
Obviously, before capture the Gmail traffic, you must clean the cache of Firefox to force the download of all contents, this to allow Xplico to rebuild all data.
The Web interface (PHP code) is necessary and it is also necessary:

1. to use Firefox in the same machine where is Web interface (Apache)
2. to enable proxy in Firefox  (HTTP porxy: localhost Port: 80).

You can use DEFT (v3x, v4, …) to test this feature.

Even Google Calendar can  be rebuilt with Xplico. In this screenshot you can view an example, obtained from the pcap file extracted from gmail.com.pcap.e01 archive of  PyFlag project.

This feature is experimental and it is in development. Now the engine is written in PHP but we are developing an engine in C with many more features.

By March there will be a new release of  Xplico. This new release will have the geographical map of the reconstructions, and (perhaps) the dissector for Multimedia Messaging Service.
An example of geographical map can be found here.

This is the first experiment of use of Flare library.

Thanks to Raffael Marty for his help with Flare.

In this representation are listed all dissectors with their bonds of dependency.

This release introduce the IMAP dissector. With this dissector it is possible reconstruct the e.mails transported by IMAP protocol. The web interface it is the same of last version.

Any bug reports or suggestions are welcome.

You can find source code here.

An example of the effectiveness of SniffJoke is given by this pcap. It is easy to verify that Wireshark and other tools reconstruct the data entering the traffic generated by SbiffJoke, making reconstruction wrong.
Try this pcap… with your best tool.

Released sources code of Xplico DEFT4 (see download).

With DEFT4, without run X (deft-gui), you can capture and decode ethernet traffic in this way:
Read the rest of this entry »

DEFT4 has arrived! In this release, there are many new features.
The novelty of Xplico in Def4 are:

• console-mode Xplico execution
• acquisition and processing in realtime (in console-mode)
• access to every HTTP message. You can examine:
  • request header and body
  • response header and body
  • Therefore it will be viewed the request body of the POST
• Internet Printing Protocol (IPP) and Printer Job Language (PJL) dissectors. With these dissecors you can view, in PDF format, the pages printed with printers that use PCL5E, PCL5C, and PCL6 formats (for example HP LaserJet 2300dn, HP LaserJet 4). Other formats (ex: Zenographics ZJ-stream) are in development
• viewing any video transited in HTTP with content-type “video/flv” extracted from pcap file (ex: YouTube video)
• browsing all images transported in HTTP
• improvement of displaying Web pages extracted from pcap file

Remember to run xplico-start from the Terminal and then launch Firefox with URL: http://localhost