Xplico

At SourceForge there is a VirtualBox.org image of Debian 5.0 with Xplico 0.5.2 installed and running. It is a smart way for testing this software without altering your environment. It is just download and begin to test Xplico. You can use Xplico to decode traffic in console or via web, uploading your own traffic pcap files. Click here to download it.

Thanks to Carlos Gacimartín.

Forum: http://forum.xplico.org.
Wiki: http://wiki.xplico.org.

Enjoy.

For some time we have in mind to make available a Wiki that contains the documentation of Xplico. Soon the new Wiki will be available, even if initially it will not have much contents.

Merit and initiative of Carlos Gacimartín also a Forum will be opened. Thanks to Carlos, who has offered to maintain and administer the Forum, the Forum will allow participants to share: suggestions, use and problems concerning Xplico.

In the website of Carlos you can find also a useful help for the problem of installing the package .deb for Ubuntu 9.04.

Bricowifi has created two video tutorials. One of them explains how to perform a live capture (and decoding) of wep traffic.
The videos can be found here.
He also made a tutorial describing step by step installation of Xplico. The tutorial is in French but it is very clear.

Many thanks to Bricowifi.

It is available for download the binary package of Xplico 0.5.2 for Ubuntu 9.04.
After installation, you must follow these steps:

• edit /etc/php5/apache2/php.ini to increase the size of files to upload:
  • post_max_size = 100M
  • upload_max_filesize = 100M
• restart Apache2
• start Xplico decoding manager: sudo /opt/xplico/script/sqlite_demo.sh
• open url: http://localhost:9876 (Xplico Interface login)

For optimal viewing of web pages reconstructed by Xplico (using only the data in pcap files, and NOT go to the Internet) set the proxy in Firefox at localhost with port 9876.

Thanks to * for his help.

And now… enjoy.

This version of Xplico and especially of Xplico Interface (web user interface) introduce many new features.
Xplico :

• dissectors: Ethernet, pcap, ipv4, ipv6, ppp, sll, tcp (2 type), udp, dns, ftp, http,  icmp, imap, ipp, mms, pjl (Printer Job Language), pop, sdp, smtp, tftp, l2tp (instable), vlan (instable)
• reverse dns using only the DNS traffic in the PCAP file
• geographical and temporal map of the connections decoded (The local IP are mapped in Venezia)
• improvements of the regeneration of web pages.

Xplico Interface:

• new look (screenshot)
• summary of the data decoded
• source host selectablly
• visualization (with Wireshark) of all packets and flows that compose the content extracted/reconstructed
• usable from any PC on the network (see install)
• improvements email visualization, (downloadable attachments)
• feed list. Feed reader (RSS and Atom)
• MMS contents visualization
• improvement of research content
• improvements of the regeneration of web pages

If you search a connection scrambler for Linux that Xplico is not able to recognize, then take a look at SniffJoke 0.3.

This release introduce the MMS dissector. With this dissector it is possible to reconstruct the MMS message transported by HTTP protocol and extracts the media contained. With the new release of  Web interface it is possible to view photos, texts and videos contained in MMS messages.

In this release of Xplico we have introduced the generations of geographical and temporal map of data rebuilding by Xplico. This feature named GeoMap can be used both with console mode and Web interface. The files generated by GeoMap are kml files an can be used with Google Earth. To allow the visualization of the connections whose source is a private IP address, we have decided that the private IP address are located  in Venice (this is a temporary solution).

We have to thank:

• Collin Richard Mulliner for your mms messages
• Kowsik Guruswamy for your Cap’r Makr’ tool, and for your very fast support
• SecViz for inspiration of GeoMap
• MaxMin for your open source GeoIP library
• Wireshark team for… ALL

An example of MMS over HTTP you can find here.This pcap was generated with Cap’r Makr’ and with the mms of Flavio Poletti.

Any bug reports or suggestions are welcome.

If you sniff, with tcpdump or other tools, all Gmail traffic (before login) and you give this capture to Xplico using Web interface, then you can view the emails of Gmail, even if you have not read the email (this is true only for the first emails on the list).
Obviously, before capture the Gmail traffic, you must clean the cache of Firefox to force the download of all contents, this to allow Xplico to rebuild all data.
The Web interface (PHP code) is necessary and it is also necessary:

1. to use Firefox in the same machine where is Web interface (Apache)
2. to enable proxy in Firefox  (HTTP porxy: localhost Port: 80).

You can use DEFT (v3x, v4, …) to test this feature.

Even Google Calendar can  be rebuilt with Xplico. In this screenshot you can view an example, obtained from the pcap file extracted from gmail.com.pcap.e01 archive of  PyFlag project.

This feature is experimental and it is in development. Now the engine is written in PHP but we are developing an engine in C with many more features.

By March there will be a new release of  Xplico. This new release will have the geographical map of the reconstructions, and (perhaps) the dissector for Multimedia Messaging Service.
An example of geographical map can be found here.