Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

SniffJoke 0.2

An example of the effectiveness of SniffJoke is given by this pcap. It is easy to verify that Wireshark and other tools reconstruct the data entering the traffic generated by SbiffJoke, making reconstruction wrong.
Try this pcap… with your best tool.

Source code

Released sources code of Xplico DEFT4 (see download).

DEFT 4 console-mode

With DEFT4, without run X (deft-gui), you can capture and decode ethernet traffic in this way:
Read more…


DEFT4 has arrived! In this release, there are many new features.
The novelty of Xplico in Def4 are:

  • console-mode Xplico execution
  • acquisition and processing in realtime (in console-mode)
  • access to every HTTP message. You can examine:
    • request header and body
    • response header and body
    • Therefore it will be viewed the request body of the POST
  • Internet Printing Protocol (IPP) and Printer Job Language (PJL) dissectors. With these dissecors you can view, in PDF format, the pages printed with printers that use PCL5E, PCL5C, and PCL6 formats (for example HP LaserJet 2300dn, HP LaserJet 4). Other formats (ex: Zenographics ZJ-stream) are in development
  • viewing any video transited in HTTP with content-type “video/flv” extracted from pcap file (ex: YouTube video)
  • browsing all images transported in HTTP
  • improvement of displaying Web pages extracted from pcap file

Remember to run xplicostart from the Terminal and then launch Firefox with URL: http://localhost

New Site

… just to start

Sniffer evasion tool

Xplico at present is unable to avoid sniffer evasion tool handling TTL (IP Time To Live). In version 0.6, Xplico will no longer be affected by this type of attack.
A good sniffer evasion tool is SniffJoke. SniffJoke prevent Xplico to reconstruct the traffic … and not only to Xplico 😉 .

Internet Printing Protocol

Completed IPP (Internet Printing Protocol) and PJL (Printer Job Language) dissectors. These dissectors convert the traffic network printers in pdf file format. Thanks to MT-Lab for the idea.
This pdf file is an example of reconstruciton (from Wireshark ipp.pcap).

Xplico Deft3x

Released sources code of Xplico Deft3 (see download).