Xplico

Currently there are at least 2 Forensic challenges in which Xplico can be used and can facilitate the analysis. These two challenges are:

• Forensic Challenge 2010 – pcap attack trace
• Ann’s AppleTV

We do not answer the questions, here we will give some indication of use of Xplico.

The “Ann’s AppleTV” pcap file has no particular problems of decoding, in fact if you process the pcap you obtain the data represented in the  two pictures below.

For the “Forensic Challenge 2010 – pcap attack trace” pcap  decoding requires more attention. In fact this pcap file has corrupted packet  (and not retransmitted), so you must disable the Xplico checksum verification (HowTo).

From cli the command is:

./xplico -c config/xplico_cli_nc.cfg -m pcap -f attack-trace.pcap

Since Xplico is able to recognize the protocols (not all) even if they use non-standard ports is easy to see what protocol was used and which data file was downloaded.
In the figure below there is the result of decoding with XI.

Enjoy .

This version of Xplico introduce new and important features:

• Facebook web chat dissector
• New XI based on CakePHP 1.2.5
• New representation of images
• For each image you can see (with the proxy enabled) the page where the image is contained
• WLAN and LLC basic dissectors
• HTTP dissector Improvements

You can download source code, Ubuntu 9.10 package and VirtualBox.org image here.

You can find this release in DEFT Vx5 Linux distribution.
You can download source code, Ubuntu 9.10 package and VirtualBox.org image here.

This version of Xplico introduce many new features:

• snoop Packet Capture File Format as input file
• DNS dissector with graphical representation in Xplico Interface (XI)
• NNTP dissector
• PPPOE dissector
• direct live acquisition from XI
• new dispatcher named CLI: this dispatcher organize the data extracted in a tree as this:
  
xdecode/<ip_src_1>/http
xdecode/<ip_src_1>/mail/
xdecode/<ip_src_1>/nntp
xdecode/<ip_src_1>/ftp
xdecode/<ip_src_1>/...
xdecode/<ip_src_2>/http
xdecode/<ip_src_2>/mail/
xdecode/<ip_src_2>/nntp
xdecode/<ip_src_2>/ftp
xdecode/<ip_src_2>/...


• default  CLI dispatcher in command line execution
• file extension for the HTTP contents

We have to thank:

• Carlos Gacimartín, for his help
• Doriano Azzena, for his support in debugging
• Matteo G.P. Flora for inspiration of DNS XI graphics
• Open Flash Chart team for their wonderful tool
• all forum users for their debug

Enjoy .

At SourceForge there is a VirtualBox.org image of Debian 5.0 with Xplico 0.5.2 installed and running. It is a smart way for testing this software without altering your environment. It is just download and begin to test Xplico. You can use Xplico to decode traffic in console or via web, uploading your own traffic pcap files. Click here to download it.

Thanks to Carlos Gacimartín.

Forum: http://forum.xplico.org.
Wiki: http://wiki.xplico.org.

Enjoy.

For some time we have in mind to make available a Wiki that contains the documentation of Xplico. Soon the new Wiki will be available, even if initially it will not have much contents.

Merit and initiative of Carlos Gacimartín also a Forum will be opened. Thanks to Carlos, who has offered to maintain and administer the Forum, the Forum will allow participants to share: suggestions, use and problems concerning Xplico.

In the website of Carlos you can find also a useful help for the problem of installing the package .deb for Ubuntu 9.04.

Bricowifi has created two video tutorials. One of them explains how to perform a live capture (and decoding) of wep traffic.
The videos can be found here.
He also made a tutorial describing step by step installation of Xplico. The tutorial is in French but it is very clear.

Many thanks to Bricowifi.

It is available for download the binary package of Xplico 0.5.2 for Ubuntu 9.04.
After installation, you must follow these steps:

• edit /etc/php5/apache2/php.ini to increase the size of files to upload:
  • post_max_size = 100M
  • upload_max_filesize = 100M
• restart Apache2
• start Xplico decoding manager: sudo /opt/xplico/script/sqlite_demo.sh
• open url: http://localhost:9876 (Xplico Interface login)

For optimal viewing of web pages reconstructed by Xplico (using only the data in pcap files, and NOT go to the Internet) set the proxy in Firefox at localhost with port 9876.

Thanks to * for his help.

And now… enjoy.

This version of Xplico and especially of Xplico Interface (web user interface) introduce many new features.
Xplico :

• dissectors: Ethernet, pcap, ipv4, ipv6, ppp, sll, tcp (2 type), udp, dns, ftp, http,  icmp, imap, ipp, mms, pjl (Printer Job Language), pop, sdp, smtp, tftp, l2tp (instable), vlan (instable)
• reverse dns using only the DNS traffic in the PCAP file
• geographical and temporal map of the connections decoded (The local IP are mapped in Venezia)
• improvements of the regeneration of web pages.

Xplico Interface:

• new look (screenshot)
• summary of the data decoded
• source host selectablly
• visualization (with Wireshark) of all packets and flows that compose the content extracted/reconstructed
• usable from any PC on the network (see install)
• improvements email visualization, (downloadable attachments)
• feed list. Feed reader (RSS and Atom)
• MMS contents visualization
• improvement of research content
• improvements of the regeneration of web pages

If you search a connection scrambler for Linux that Xplico is not able to recognize, then take a look at SniffJoke 0.3.