Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

Xplico 1.1.1

Xplico 1.1.0 is now available.


  • nDPI updated
  • MGCP dissector
  • IMAP bug fixed
  • WhatsApp dissector (it collects only one/two info)
  • bug fixed


Xplico 1.1.0

Xplico 1.1.0 is now available!


  • Performance improved
  • nDPI updated
  • IRC bug fixed
  • HTTP bug fixed
  • VoIP (SIP, RTP) bug fixed
  • FTP bug fixed
  • changed the FaceBook DB tables
  • Null/Loopback dissector
  • Cisco HDLC dissector
  • and RossoAlice WebMail decoding
  • Yahoo messenger, Web and Mobile (Beta version)
  • Dig using file signatures (for unknown flows)

A special thanks to:

… thank you for not using encryption in the [users] communications.


Xplico 1.0.1

Xplico 1.0.1 is now available!


  • nDPI integration
  • performace improved
  • FTP dissector improved
  • Added the prism dissector
  • CLI execution bug fixed
  • PCAP-over-IP SSL encryption
  • IRC dissector improved
  • File reconstruction from Fragmented Payloads improved
  • FaceBook Chat updated
  • FaceBook Message (partial)
  • HTTP without initial packets (packets lost)
  • RTP dissector improved
  • PCAP2WAV, RTP2WAV interface added


Ubuntu 12.04 and VirtualBox Image

The VirtualBox image of Xplico 1.0.0 can be downloaded here.

Xplico for Ubuntu 12.04 can be installed following the howto or it can be downloaded here.

We are developing the new version, some new features, like the use of nDPI library, may be tested with the Demo (Xplico in the cloud) . Any feedback is welcome.

Thanks to Carlos Gacimartín.


net-sniff-ng the packet sniffing beast

In past we have written about net-sniff-ng and we have used it in tandem with  Xplico.

In recent days Daniel Borkmann  has released a new version of net-sniff-ng, in this new version there are many improvements and new feature. With the last version 0.5.6 net-sniff-ng can be used with Xplico without apply any patch.

So we recommend  to all Xplico users to use the last version of net-sniff-ng.

To use net-sniff-ng as a network probe for Xplico on the ethernet interface eth0, with the pcap files in /opt/xplico/pol_1/sol_1 (ie first case and first session in the first case)  and with an  acquisition time interval of 300 seconds (5 minutes) the command to be use is:

sudo netsniff-ng -i eth0 –out /opt/xplico/pol_1/sol_1/new –silent –jumbo-support –interval 300

Enjoy with net-sniff-ng!


We will participate in the DEFTCON 2012 in Turin (Italy) on March 30.
The conference will be in Italian, more information and the event program can be found here.

To register, write to

Xplico 1.0.0 Released

Xplico 1.0.0 is now available!


  • SQLite dispatcher performance improved
  • added the PPI dissector
  • added the syslog dissector
  • added “Bogus IP length” correction with checksum verification disabled
  • new Facebook Chat dissector for the new Facebook chat protocol
  • SIP dissector improved
  • IMAP dissector improved and bugs fixed
  • DNS dissector PIPI improved
  • Yahoo Webmail bugs fixed
  • Live/Hotmail WebMail Spanish version
  • GeoMap improved
  • PCap-over-IP

Xplico Repository (Ubuntu 11.04 or higher)

To install Xplico in your Ubuntu Server or in your Desktop now you can use the official Xplico repository. With four simple steps you can have Xplico running and updated.

sudo bash -c 'echo "deb $(lsb_release -s -c) main" >> /etc/apt/sources.list'
sudo apt-key adv --keyserver --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico



BackBox and Xplico

We are started a collaboration with BackBox team. The first result of this collaboration is a new deb package which can be installed directly from Launchpad.


To install Xplico on Ubuntu the steps to follow are:

  1.  at the end of the file /etc/apt/sources.list  add the lines:

    deb natty main
    deb-src natty main

  2. in your terminal, enter:

    sudo apt-key adv –keyserver –recv-keys 78A7ABE1
    sudo apt-get update

  3. install Xplico :

    sudo apt-get install xplico


Xplico 0.7.1: DEFT Linux 7

We are pleased to announce the DEFT Linux 7 and the new release of Xplico.

Xplico 0.7.1 fixes some bugs:DEFT Linux 7

  • RTP bug fixed
  • dispatcher core functionality bug fixed
  • mfile manipulator bug fixed
  • XI bugs fixed
  • added DB migration tool

We are working to 1.0.0 version and you can try it here.

If you are a fun of Xplico, please vote for it 2011 Toolsmith Tool of the Year.


CERT Linux Forensics Tools

Thanks to Larry Rogers the new release of Xplico can be downloaded from the CERT Linux Forensics Tools Repository. The RPM are available for Fedora 16, 15, 14 and 13.
The announcement says:

xplico-0.7.1-1.{fc13,fc14,fc15,fc16}.{i386,x86_64}.rpm – xplico is an Internet traffic decoder. See the Xplico website for the list of changes in this version. Note that RHEL/CentOS is not supported due to a lack of Python Version 3 support.