Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

Xplico 0.5.7: VoIP tapping and phone numbers

This release introduces improvements in the SIP and RTP dissectors.
In this version was also added the RTCP dissector, with this dissector Xplico is able to obtain the phone numbers of the caller and called party (obviously only if present in the RTCP packets).

DEFT 5.1 Live distribution contains this version.

You can download source code and Ubuntu 10.04 package here.

Enjoy ;).

Xplico version 0.5.6: VoIP (SIP & RTP)

In this version there are new and important features:

  • HTTP reconstruction file. ie: files downloaded with tools like DownThemAll
  • undecodec UDP and TCP “stream” with textual content
  • RTP dissector
  • SIP dissector
  • SDP dissector
  • Improved XI
  • many bugfix

This version of the SIP and RTP dissectors is not optimal. The (media) contents currently decoded have the following characteristics (limitations) :

  • only audio
  • audio codec: G711ulaw, G711alaw, G722, G729, G723 and G726
  • only static RTP payload type

We have to thank:

You can download image, source code and Ubuntu 9.10 package here.

Enjoy ;).

Xplico conferences and demo

Tomorrow 10 March Carlos Gacimartín, of Xplico team, will hold a conference and a demo of Xplico in Madrid.
Anyone wishing to attend the conference is invited to:

Room 1.1.F01
University Carlos III
Avda. Universidad 30, Leganés
Madrid, Spain
At 16:00

Update: Slides.


With pleasure we announce that Xplico is officially included in BackTrack repository.
Thanks to everyone and in particular to the team of BackTrack.

Xplico version 0.5.5: WebMail

In this version:

  • migrating to SQLite3
  • telnet dissector
  • webmail dissector
  • webmail manipulator: Yahoo!, AOL, Hotmail (all without attachments)
  • Improved LLC dissector
  • Improved XI
  • script to check new release (only in source code)

Hotmail (Live) depends on the language. Currently the languages supported are Italian and English.
Any feedback are welcome: forum.

You can download VirtualBox image, source code and Ubuntu 9.10 package here.

Forensic challenges

Currently there are at least 2 Forensic challenges in which Xplico can be used and can facilitate the analysis. These two challenges are:

We do not answer the questions, here we will give some indication of use of Xplico.

The “Ann’s AppleTV” pcap file has no particular problems of decoding, in fact if you process the pcap you obtain the data represented in the  two pictures below.

For the “Forensic Challenge 2010 – pcap attack trace” pcap  decoding requires more attention. In fact this pcap file has corrupted packet  (and not retransmitted), so you must disable the Xplico checksum verification (HowTo).

From cli the command is:

./xplico -c config/xplico_cli_nc.cfg -m pcap -f attack-trace.pcap

Since Xplico is able to recognize the protocols (not all) even if they use non-standard ports is easy to see what protocol was used and which data file was downloaded.
In the figure below there is the result of decoding with XI.

Enjoy ;).

Xplico version 0.5.4: Facebook Chat

This version of Xplico introduce new and important features:

  • Facebook web chat dissector
  • New XI based on CakePHP 1.2.5
  • New representation of images
  • For each image you can see (with the proxy enabled) the page where the image is contained
  • WLAN and LLC basic dissectors
  • HTTP dissector Improvements

You can download source code, Ubuntu 9.10 package and image here.

Xplico version 0.5.3 and DEFT Vx5

You can find this release in DEFT Vx5 Linux distribution.
You can download source code, Ubuntu 9.10 package and image here.

This version of Xplico introduce many new features:


  • snoop Packet Capture File Format as input file
  • DNS dissector with graphical representation in Xplico Interface (XI)
  • NNTP dissector
  • PPPOE dissector
  • direct live acquisition from XI
  • new dispatcher named CLI: this dispatcher organize the data extracted in a tree as this:

  • default  CLI dispatcher in command line execution
  • file extension for the HTTP contents

We have to thank:

Enjoy ;).

VirtualBox Image of Debian 5.0 with Xplico

At SourceForge there is a image of Debian 5.0 with Xplico 0.5.2 installed and running. It is a smart way for testing this software without altering your environment. It is just download and begin to test Xplico. You can use Xplico to decode traffic in console or via web, uploading your own traffic pcap files. Click here to download it.

Thanks to Carlos Gacimartín.

Forum and Wiki