Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

Xplico 1.0.1

Vicenza
Xplico 1.0.1 is now available!

ChangeLog:

  • nDPI integration
  • performace improved
  • FTP dissector improved
  • Added the prism dissector
  • CLI execution bug fixed
  • PCAP-over-IP SSL encryption
  • IRC dissector improved
  • File reconstruction from Fragmented Payloads improved
  • FaceBook Chat updated
  • FaceBook Message (partial)
  • HTTP without initial packets (packets lost)
  • RTP dissector improved
  • PCAP2WAV, RTP2WAV interface added

Enjoy.

Ubuntu 12.04 and VirtualBox Image

The VirtualBox image of Xplico 1.0.0 can be downloaded here.

Xplico for Ubuntu 12.04 can be installed following the howto or it can be downloaded here.

We are developing the new version, some new features, like the use of nDPI library, may be tested with the Demo (Xplico in the cloud) . Any feedback is welcome.

Thanks to Carlos Gacimartín.

Enjoy.

net-sniff-ng the packet sniffing beast

In past we have written about net-sniff-ng and we have used it in tandem with  Xplico.

In recent days Daniel Borkmann  has released a new version of net-sniff-ng, in this new version there are many improvements and new feature. With the last version 0.5.6 net-sniff-ng can be used with Xplico without apply any patch.

So we recommend  to all Xplico users to use the last version of net-sniff-ng.

To use net-sniff-ng as a network probe for Xplico on the ethernet interface eth0, with the pcap files in /opt/xplico/pol_1/sol_1 (ie first case and first session in the first case)  and with an  acquisition time interval of 300 seconds (5 minutes) the command to be use is:

sudo netsniff-ng -i eth0 –out /opt/xplico/pol_1/sol_1/new –silent –jumbo-support –interval 300

Enjoy with net-sniff-ng!

Xplico 1.0.0 Released

Xplico 1.0.0 is now available!

ChangeLog:

  • SQLite dispatcher performance improved
  • added the PPI dissector
  • added the syslog dissector
  • added “Bogus IP length” correction with checksum verification disabled
  • new Facebook Chat dissector for the new Facebook chat protocol
  • SIP dissector improved
  • IMAP dissector improved and bugs fixed
  • DNS dissector PIPI improved
  • Yahoo Webmail bugs fixed
  • Live/Hotmail WebMail Spanish version
  • GeoMap improved
  • PCap-over-IP

Xplico Repository (Ubuntu 11.04 or higher)

To install Xplico in your Ubuntu Server or in your Desktop now you can use the official Xplico repository. With four simple steps you can have Xplico running and updated.

sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico


Thanks

 

BackBox and Xplico

We are started a collaboration with BackBox team. The first result of this collaboration is a new deb package which can be installed directly from Launchpad.

 

To install Xplico on Ubuntu the steps to follow are:

  1.  at the end of the file /etc/apt/sources.list  add the lines:

    deb http://ppa.launchpad.net/backbox/two/ubuntu natty main
    deb-src http://ppa.launchpad.net/backbox/two/ubuntu natty main

  2. in your terminal, enter:

    sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 78A7ABE1
    sudo apt-get update

  3. install Xplico :

    sudo apt-get install xplico

Enjoy!

Web Demo

We are completing the tests on 0.7.0 version. In this release the main features are:

  • Gmail Webmail (HTTP)
  • Yahoo! Mobile Mail (Andorid)
  • AOL WebMail (last version)
  • Language localization

WebDemo
The “WebMail sniffer” component (manipulator and python scripts) were improved.
All this features and others can be  examined and tested with the Web Demo of Xplico.
Any help on Language translation and bug report or suggestions are greatly appreciated.
In the Web Demo all data can be remove by you, in anyway all data (but not the users accounts) are removed every day at 00:00 UTC. More info about Web Demo can be found here.

ISSA Journal: toolsmith

Russ McRee wrote an article about Xplico for ISSA Journal.
The PDF file can be downloaded here.

The next week will be released the Xplico’s new version, with support for 64bit.

Xplico 0.6.2: l7-patterns

This version introduces l7-patterns classifier for all flows not decoded, also there is the improvement of the real time acquisition, new features for the XI (Xplico Interface) and many bugs fixes.

ChangeLog:

  • l7-patterns for all flows/protocols not decoded by xplico
  • Xplico Interface (XI) improved
  • python3 porting of many scripts
  • realtime capture module improved
  • facebook chat realtime view
  • UTC/localtime bug fixes
  • l2tp dissector bug fixes
  • cli and lite dispatchers bug fixes
  • telnet dissector bug fixes
  • trigcap bug fixes
  • new script named session_mng.pyc to facilitate the creation of new case and/or new session from command line

We thank naif for his support and his availability.


The decoding performance are:

  • from command line: 5.9 MB/s
  • from Xplico Interface (XI) with SQLite DB (=> lite dispatcher): 1.76 MB/s
  • from Xplico Interface with MySQL DB (=> ximysql dispatcher): 4.09 MB/s

measured on an Aspire 5633WLMi (Intel Core 2 Duo processor T5500 with 1GB RAM an HD IDE controller) with the pcap http://domex.nps.edu/corp/scenarios/2009-m57/net/day11-18.dmp.zip (851 MB).

As always: Enjoy !

Xplico 0.6.1: MSN and Paltalk

In this version new dissectors, new features and obviously many bugfix:

  • Paltalk chat dissector
  • MSN dissector (beta basic version)
  • XI Cookie hijacking
  • XI pagination for Images and Web
  • XI XSS fixed
  • XI bugfix

We thank:

You can found Xplico 0.6.1 in DEFT Linux 6 and you can download VirtualBox.org image, source code and Ubuntu 10.10 package here.

Enjoy ;)

Xplico 0.6.0 for Fedora 11-14 by CERT

Larry Rogers has built and tested Xplico version 0.6.0 for the CERT.
The rpm package is available for Fedora 11-14 from CERT Forensics Appliance repository.

More info and for all comments please see here.

Thank to Larry Rogers.