Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

Ubuntu 12.04 and VirtualBox Image

The VirtualBox image of Xplico 1.0.0 can be downloaded here.

Xplico for Ubuntu 12.04 can be installed following the howto or it can be downloaded here.

We are developing the new version, some new features, like the use of nDPI library, may be tested with the Demo (Xplico in the cloud) . Any feedback is welcome.

Thanks to Carlos Gacimartín.


Xplico 1.0.0 Released

Xplico 1.0.0 is now available!


  • SQLite dispatcher performance improved
  • added the PPI dissector
  • added the syslog dissector
  • added “Bogus IP length” correction with checksum verification disabled
  • new Facebook Chat dissector for the new Facebook chat protocol
  • SIP dissector improved
  • IMAP dissector improved and bugs fixed
  • DNS dissector PIPI improved
  • Yahoo Webmail bugs fixed
  • Live/Hotmail WebMail Spanish version
  • GeoMap improved
  • PCap-over-IP

Xplico Repository (Ubuntu 11.04 or higher)

To install Xplico in your Ubuntu Server or in your Desktop now you can use the official Xplico repository. With four simple steps you can have Xplico running and updated.

sudo bash -c 'echo "deb $(lsb_release -s -c) main" >> /etc/apt/sources.list'
sudo apt-key adv --keyserver --recv-keys 791C25CE
sudo apt-get update
sudo apt-get install xplico



Network Probes and Xplico

As many Xplico users know, the Xplico “Live capture” is not the great solution to capture the network traffic. The “Live capture” was introduced only for the purpose of demonstration and it can not be considered a proper mode to capture network data.
From 0.6.2 version we have improved the “real time capture” (=> Live capture), but these improvements have not solved (and can not solve) some limits (deliberately) imposed on Xplico. Currently, the real time capture is performed by a plug-in (module) belonging to the Xplico capture modules and not from a separate application. This capture module uses the libpcap to capture data from the network adapter.
In this context Xplico can lose data (packets) for two reasons:

  • real-time capture module is not designed to hi speed network traffic
  • the Xplico I/O monitoring: the Xplico (decoder) controls the memory/threads/data used and, as feedback, it imposes a slowing of incoming data (with the capture module). If the input data is a pcap file there are no consequences, but if the input is the network card then we can lose the data.

How to solve this problem? Simple, using applications (or/and hardware) designed specifically for this purpose, that of Network Probes. We want to mention here two projects that have as their objective the capture of high network traffic data and use techniques that minimize the likelihood of data loss.

The first one is n2disk of our friend Luca Deri. n2disk is based on PF_RING. PR_RING is also used in nProbe and it is what provides the high performance at nProbe.

The second project is net-sniff-ng and it is developed by Daniel Borkmann and Emmanuel Roullit.The main features of net-sniff-ng:

  • it is completely open source (GPLv2)
  • its main goal is to be a high performance network sniffer
  • it uses ‘zero-copy’ mechanisms
  • Berkeley Packet Filter to the socket in order to pre-filter traffic within the kernel

If you are interested in trying netsniff-ng with Xplico what you have to do is:

  • download netsniff-ng from the git repository (remember that netsniff-ng is in continuous development)
  • copy netsniff-ng-xplico file in netsniff-ng/src/netsniff-ng.c

  • cd netsniff-ng/src/netsniff-ng
    sudo make install
    /opt/xplico/script/session_mng.pyc -n netsniff test

    use the session_mng.pyc output:

    Put the pcap files here: /opt/xplico/pol_1/sol_1/new

    in the next command

    sudo netsniff-ng --in eth0 --out dump.pcap --silent --dump-path /opt/xplico/pol_1/sol_1/new --dump-frequency 10


XI Cookie hijacking: Windows Live

Windwa Live

XI Cookie hijacking is a new feature introduced in 0.6.1 version.

This post shows how to use this new tool with Windows Live.