Xplico

Xplico 1.0.1

Xplico 1.0.1 is now available!

ChangeLog:

nDPI integration
performace improved
FTP dissector improved
Added the prism dissector
CLI execution bug fixed
PCAP-over-IP SSL encryption
IRC dissector improved
File reconstruction from Fragmented Payloads improved
FaceBook Chat updated
FaceBook Message (partial)
HTTP without initial packets (packets lost)
RTP dissector improved
PCAP2WAV, RTP2WAV interface added

Enjoy.

net-sniff-ng the packet sniffing beast

In past we have written about net-sniff-ng and we have used it in tandem with Xplico.

In recent days Daniel Borkmann has released a new version of net-sniff-ng, in this new version there are many improvements and new feature. With the last version 0.5.6 net-sniff-ng can be used with Xplico without apply any patch.

So we recommend to all Xplico users to use the last version of net-sniff-ng.

To use net-sniff-ng as a network probe for Xplico on the ethernet interface eth0, with the pcap files in /opt/xplico/pol_1/sol_1 (ie first case and first session in the first case) and with an acquisition time interval of 300 seconds (5 minutes) the command to be use is:

sudo netsniff-ng -i eth0 –out /opt/xplico/pol_1/sol_1/new –silent –jumbo-support –interval 300

Enjoy with net-sniff-ng!

DEFTCON 2012

We will participate in the DEFTCON 2012 in Turin (Italy) on March 30.
The conference will be in Italian, more information and the event program can be found here.

To register, write to deftcon@deftlinux.net.

February 27, 2012
Comments Off
Binary, Dissectors, How To, Improvements, News, Release, Visualization
webmail

Xplico 1.0.0 Released

Xplico 1.0.0 is now available!

ChangeLog:

SQLite dispatcher performance improved
added the PPI dissector
added the syslog dissector
added “Bogus IP length” correction with checksum verification disabled
new Facebook Chat dissector for the new Facebook chat protocol
SIP dissector improved
IMAP dissector improved and bugs fixed
DNS dissector PIPI improved
Yahoo Webmail bugs fixed
Live/Hotmail WebMail Spanish version
GeoMap improved
PCap-over-IP

Xplico Repository (Ubuntu 11.04 or higher)

To install Xplico in your Ubuntu Server or in your Desktop now you can use the official Xplico repository. With four simple steps you can have Xplico running and updated.

sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list' sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE sudo apt-get update sudo apt-get install xplico

Thanks

Stack Overflow users.
Erika Noerenberg for her analysis in the post “Brief overview of 4 NFATs”
Victor Oppleman to suggest us to add PCap-over-IP

January 23, 2012
Comments Off
BackBox, News

BackBox and Xplico

We are started a collaboration with BackBox team. The first result of this collaboration is a new deb package which can be installed directly from Launchpad.

To install Xplico on Ubuntu the steps to follow are:

at the end of the file /etc/apt/sources.list add the lines:

deb http://ppa.launchpad.net/backbox/two/ubuntu natty main
deb-src http://ppa.launchpad.net/backbox/two/ubuntu natty main
in your terminal, enter:

sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 78A7ABE1
sudo apt-get update
install Xplico :

sudo apt-get install xplico

Enjoy!

Xplico 0.7.1: DEFT Linux 7

We are pleased to announce the DEFT Linux 7 and the new release of Xplico.

Xplico 0.7.1 fixes some bugs:

RTP bug fixed
dispatcher core functionality bug fixed
mfile manipulator bug fixed
XI bugs fixed
added DB migration tool

We are working to 1.0.0 version and you can try it here.

If you are a fun of Xplico, please vote for it 2011 Toolsmith Tool of the Year.

Enjoy!

CERT Linux Forensics Tools

Thanks to Larry Rogers the new release of Xplico can be downloaded from the CERT Linux Forensics Tools Repository. The RPM are available for Fedora 16, 15, 14 and 13.
The announcement says:

xplico-0.7.1-1.{fc13,fc14,fc15,fc16}.{i386,x86_64}.rpm – xplico is an Internet traffic decoder. See the Xplico website for the list of changes in this version. Note that RHEL/CentOS is not supported due to a lack of Python Version 3 support.

Enjoy!

November 7, 2011
Comments Off
Binary, Dissectors, Improvements, Release
aolmail, gmail, webmail, yahoo! mobile

Xplico 0.7.0: Gmail and language localization

This version introduces improvement on Webmail sniffing/decoding and the language localization.

Changelog:

upgraded the XI to Cakephp 1.3
added the ICMPv6 dissector
Ethernet dissector improved (for ICMPv6)
one of two Xplico’s deadlock is solved
fixed the communication bug between xplico and the manipulators
SDP dissector bug fixed
SIP and TCP dissectors improved
WebMail manipulator and all Python3 scripts improved (ready to new webmail entry… see pol )
added pcap file name on CLI report
capture modules log improved
new GeoIP version: 1.4.8
added IPv6 Hop-by-Hop options
Xplico and all Manipulators with dual stack (IPv4, IPv6)
XI language localization (each fix is well come): Arabic, Chinese, German, English, French, Hindi, Italian, Japanese, Portuguese, Russian, Spanish, Turkish
DNS bug fixed
added the MDNS dissector
added AOL WebMail
added Yahoo! WebMail
added Yahoo! Mail for Andorid Mobile
added Gmail

We thank:

briaeros007 (member of the forum) for his test about IPv6 functionality on Xplico’s applications
James Fisher, he has found and fixed a bug in the HTTP dissector

Enjoy Xplico!

Web Demo

We are completing the tests on 0.7.0 version. In this release the main features are:

Gmail Webmail (HTTP)
Yahoo! Mobile Mail (Andorid)
AOL WebMail (last version)
Language localization

The “WebMail sniffer” component (manipulator and python scripts) were improved.
All this features and others can be examined and tested with the Web Demo of Xplico.
Any help on Language translation and bug report or suggestions are greatly appreciated.
In the Web Demo all data can be remove by you, in anyway all data (but not the users accounts) are removed every day at 00:00 UTC. More info about Web Demo can be found here.