Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

Xplico 1.2.2

Photo taken by Julien Lagarde (Creative Commons (CC))

Xplico 1.2.2 is now available.


  • Migration from GeoIP to GeoIP2
  • nDPI updated
  • CakePHP 2.10.17
  • Bugfix


Xpico 1.2.1: Xplico vulnerability

Mehmet D. İNCE from discovered several vulnerability related to the Xplico software. He identified three different vulnerability, two classified as “Hight severity” and one as “Medium severity”. The number assigned for this vulnerability of Xplico is CVE-2017-16666. More details here.
Thanks to Mehmet’s detail report and the collaboration of  Mehmet and of Doug Burks of Security Onion Solutions, vulnerabilities have been resolved.
This release fix these issues. It is recommended and exhorts to upgrade your Xplico installations.

Thanks again to Mehmet D. İNCE and to Doug Burks.
Gianluca Costa

Xplico 1.2.0

Xplico 1.2.0 is now available.


  • Migration from PHP5 to PHP7
  • CakePHP 2.8
  • nDPI updated
  • IMAP bug fix
  • Bugfix: reported on Security Onion


Xplico 1.1.2: CapAnalysis

capanalysisAs some of you might know CapAnalysis is open source. To analyze the pcap files CapAnalysis uses Xplico with some specific dissectors.

With this release of Xplico we complete the open source migration of CapAnalysis.

Everyone can use CapAnalysis not only by installing it but also by freely using it from the demo site.  The demo gives the possibility to upload up to 20MB of PCAP files. No password is required and all data are deleted automatically at 00:00 UTC the day after the creation of dataset.

From the point of view of Xplico users this release doesn’t introduce new features.

The code can be found on GitHub.

Xplico 1.1.1

Xplico 1.1.0 is now available.


  • nDPI updated
  • MGCP dissector
  • IMAP bug fixed
  • WhatsApp dissector (it collects only one/two info)
  • bug fixed


Xplico 1.1.0

Xplico 1.1.0 is now available!


  • Performance improved
  • nDPI updated
  • IRC bug fixed
  • HTTP bug fixed
  • VoIP (SIP, RTP) bug fixed
  • FTP bug fixed
  • changed the FaceBook DB tables
  • Null/Loopback dissector
  • Cisco HDLC dissector
  • and RossoAlice WebMail decoding
  • Yahoo messenger, Web and Mobile (Beta version)
  • Dig using file signatures (for unknown flows)

A special thanks to:

… thank you for not using encryption in the [users] communications.


Xplico 1.0.1

Xplico 1.0.1 is now available!


  • nDPI integration
  • performace improved
  • FTP dissector improved
  • Added the prism dissector
  • CLI execution bug fixed
  • PCAP-over-IP SSL encryption
  • IRC dissector improved
  • File reconstruction from Fragmented Payloads improved
  • FaceBook Chat updated
  • FaceBook Message (partial)
  • HTTP without initial packets (packets lost)
  • RTP dissector improved
  • PCAP2WAV, RTP2WAV interface added


Ubuntu 12.04 and VirtualBox Image

The VirtualBox image of Xplico 1.0.0 can be downloaded here.

Xplico for Ubuntu 12.04 can be installed following the howto or it can be downloaded here.

We are developing the new version, some new features, like the use of nDPI library, may be tested with the Demo (Xplico in the cloud) . Any feedback is welcome.

Thanks to Carlos Gacimartín.


net-sniff-ng the packet sniffing beast

In past we have written about net-sniff-ng and we have used it in tandem with  Xplico.

In recent days Daniel Borkmann  has released a new version of net-sniff-ng, in this new version there are many improvements and new feature. With the last version 0.5.6 net-sniff-ng can be used with Xplico without apply any patch.

So we recommend  to all Xplico users to use the last version of net-sniff-ng.

To use net-sniff-ng as a network probe for Xplico on the ethernet interface eth0, with the pcap files in /opt/xplico/pol_1/sol_1 (ie first case and first session in the first case)  and with an  acquisition time interval of 300 seconds (5 minutes) the command to be use is:

sudo netsniff-ng -i eth0 –out /opt/xplico/pol_1/sol_1/new –silent –jumbo-support –interval 300

Enjoy with net-sniff-ng!


We will participate in the DEFTCON 2012 in Turin (Italy) on March 30.
The conference will be in Italian, more information and the event program can be found here.

To register, write to