Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

Xplico 1.0.0 Released

Xplico 1.0.0 is now available!

ChangeLog:

  • SQLite dispatcher performance improved
  • added the PPI dissector
  • added the syslog dissector
  • added “Bogus IP length” correction with checksum verification disabled
  • new Facebook Chat dissector for the new Facebook chat protocol
  • SIP dissector improved
  • IMAP dissector improved and bugs fixed
  • DNS dissector PIPI improved
  • Yahoo Webmail bugs fixed
  • Live/Hotmail WebMail Spanish version
  • GeoMap improved
  • PCap-over-IP

Xplico Repository (Ubuntu 11.04 or higher)

To install Xplico in your Ubuntu Server or in your Desktop now you can use the official Xplico repository. With four simple steps you can have Xplico running and updated.

sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list'
sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico


Thanks

 

BackBox and Xplico

We are started a collaboration with BackBox team. The first result of this collaboration is a new deb package which can be installed directly from Launchpad.

 

To install Xplico on Ubuntu the steps to follow are:

  1.  at the end of the file /etc/apt/sources.list  add the lines:

    deb http://ppa.launchpad.net/backbox/two/ubuntu natty main
    deb-src http://ppa.launchpad.net/backbox/two/ubuntu natty main

  2. in your terminal, enter:

    sudo apt-key adv –keyserver keyserver.ubuntu.com –recv-keys 78A7ABE1
    sudo apt-get update

  3. install Xplico :

    sudo apt-get install xplico

Enjoy!

Xplico 0.7.1: DEFT Linux 7

We are pleased to announce the DEFT Linux 7 and the new release of Xplico.

Xplico 0.7.1 fixes some bugs:DEFT Linux 7

  • RTP bug fixed
  • dispatcher core functionality bug fixed
  • mfile manipulator bug fixed
  • XI bugs fixed
  • added DB migration tool

We are working to 1.0.0 version and you can try it here.

If you are a fun of Xplico, please vote for it 2011 Toolsmith Tool of the Year.

Enjoy!

CERT Linux Forensics Tools

Thanks to Larry Rogers the new release of Xplico can be downloaded from the CERT Linux Forensics Tools Repository. The RPM are available for Fedora 16, 15, 14 and 13.
The announcement says:

xplico-0.7.1-1.{fc13,fc14,fc15,fc16}.{i386,x86_64}.rpm – xplico is an Internet traffic decoder. See the Xplico website for the list of changes in this version. Note that RHEL/CentOS is not supported due to a lack of Python Version 3 support.

Enjoy!

Xplico 0.7.0: Gmail and language localization

This version introduces improvement on Webmail sniffing/decoding and the language localization.

The Earth seen from Apollo 17 (NASA)Changelog:

  • upgraded the XI to Cakephp 1.3
  • added the ICMPv6 dissector
  • Ethernet dissector improved (for ICMPv6)
  • one of two Xplico’s deadlock is solved
  • fixed the communication bug between xplico and the manipulators
  • SDP dissector bug fixed
  • SIP and TCP dissectors improved
  • WebMail manipulator and all Python3 scripts improved (ready to new webmail entry… see pol 😉 )
  • added pcap file name on CLI report
  • capture modules log improved
  • new GeoIP version: 1.4.8
  • added IPv6 Hop-by-Hop options
  • Xplico and all Manipulators with dual stack (IPv4, IPv6)
  • XI language localization (each fix is ​​well come): Arabic, Chinese, German, English, French, Hindi, Italian, Japanese, Portuguese, Russian, Spanish, Turkish
  • DNS bug fixed
  • added the MDNS dissector
  • added AOL WebMail
  • added Yahoo! WebMail
  • added Yahoo! Mail for Andorid Mobile
  • added Gmail

We thank:

  • briaeros007 (member of the forum) for his test about IPv6 functionality on Xplico’s applications
  • James Fisher, he has found and fixed a bug in the HTTP dissector

Enjoy Xplico!

Web Demo

We are completing the tests on 0.7.0 version. In this release the main features are:

  • Gmail Webmail (HTTP)
  • Yahoo! Mobile Mail (Andorid)
  • AOL WebMail (last version)
  • Language localization

WebDemo
The “WebMail sniffer” component (manipulator and python scripts) were improved.
All this features and others can be  examined and tested with the Web Demo of Xplico.
Any help on Language translation and bug report or suggestions are greatly appreciated.
In the Web Demo all data can be remove by you, in anyway all data (but not the users accounts) are removed every day at 00:00 UTC. More info about Web Demo can be found here.

Network Probes and Xplico

As many Xplico users know, the Xplico “Live capture” is not the great solution to capture the network traffic. The “Live capture” was introduced only for the purpose of demonstration and it can not be considered a proper mode to capture network data.
From 0.6.2 version we have improved the “real time capture” (=> Live capture), but these improvements have not solved (and can not solve) some limits (deliberately) imposed on Xplico. Currently, the real time capture is performed by a plug-in (module) belonging to the Xplico capture modules and not from a separate application. This capture module uses the libpcap to capture data from the network adapter.
In this context Xplico can lose data (packets) for two reasons:

  • real-time capture module is not designed to hi speed network traffic
  • the Xplico I/O monitoring: the Xplico (decoder) controls the memory/threads/data used and, as feedback, it imposes a slowing of incoming data (with the capture module). If the input data is a pcap file there are no consequences, but if the input is the network card then we can lose the data.

How to solve this problem? Simple, using applications (or/and hardware) designed specifically for this purpose, that of Network Probes. We want to mention here two projects that have as their objective the capture of high network traffic data and use techniques that minimize the likelihood of data loss.

The first one is n2disk of our friend Luca Deri. n2disk is based on PF_RING. PR_RING is also used in nProbe and it is what provides the high performance at nProbe.

The second project is net-sniff-ng and it is developed by Daniel Borkmann and Emmanuel Roullit.The main features of net-sniff-ng:

  • it is completely open source (GPLv2)
  • its main goal is to be a high performance network sniffer
  • it uses ‘zero-copy’ mechanisms
  • Berkeley Packet Filter to the socket in order to pre-filter traffic within the kernel

If you are interested in trying netsniff-ng with Xplico what you have to do is:

  • download netsniff-ng from the git repository (remember that netsniff-ng is in continuous development)
  • copy netsniff-ng-xplico file in netsniff-ng/src/netsniff-ng.c

  • cd netsniff-ng/src/netsniff-ng
    make
    sudo make install
    /opt/xplico/script/session_mng.pyc -n netsniff test

    use the session_mng.pyc output:


    Put the pcap files here: /opt/xplico/pol_1/sol_1/new

    in the next command

    sudo netsniff-ng --in eth0 --out dump.pcap --silent --dump-path /opt/xplico/pol_1/sol_1/new --dump-frequency 10

Enjoy.

Fedora 11-15, CentOS/RHEL repositories and VirtualBox

Lawrence R. Rogers has built and released Xplico 0.6.3 for Fedora 11, 12, 13, 14, 15 and CentOS/RHEL . You can find it at the CERT Linux Forensics Tools Repository.
Carlos Gacimartín has built the VirtualBox image with Xplico 0.6.3. You can find it here.

Xplico 0.6.3: 64Bit

In this release:

  • 32 and 64 bit
  • new decoding manager (DeMa): version 0.3.1
  • mfile manipulator (HTTP file transfer) bug fixes
  • WebMail scripts improved
  • HTTP dissector improved
  • XI: upgraded the javascript libraries

Enjoy !

ISSA Journal: toolsmith

Russ McRee wrote an article about Xplico for ISSA Journal.
The PDF file can be downloaded here.

The next week will be released the Xplico’s new version, with support for 64bit.