Xplico: network traffic monitoring tools
Xplico
Xplico is a Network Forensic Analysis Tool (NFAT).
The goal of Xplico is extracted from internet traffic to capture the data of the application contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP, RTP), IRC, MSN…
Xplico is able to classify more than 140 (application) protocols.
Xplico can be used as a sniffer-decoder if used in “live mode” or in conjunction with netsniff-ng.
Usage
Xplico in console-mode permits you to decode a single pcap file, directory of pcap files, or decode in real-time from an ethernet interface (eth0, eth1, …). To select the input type you have to use the -m option. The ‘-m’ option permit you to load a particular xplico capture interface (capture-module). The possible capture interfaces are ‘pcap’ and ‘rltm’. If you run “./xplico -h -m pcap” you have the help of the use of pcap interface, obviously “./xplico -h -m rltm’ give you help to use real-time interface. In console-mode all files extracted by xplico are placed in the ‘tmp/xplico/’ directory, every protocol has a particular directory, and inside this directory, you can find the decoding data. For example:
- if you have to decode test.pcap, you have to launch this command: ./xplico -m pcap -f test.pcap at the end of decoding your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, … and kml file (Google Earth) is in xdecode/ip/
- if you have to decode a directory “/tmp/test” where inside there are many pcap files you have to launch this command: ./xplico -m pcap -d /tmp/test at the end of decoding your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, … and kml file (Google Earth) is in xdecode/ip/
- if you have to decode eth0 in real-time the command is ./xplico -m rltm -i eth0 to break acquisition: ^C. At the end of decoding (decoding is in realtime) your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, … and kml file (Google Earth) is in xdecode/
Xplico has many decoding modules, these modules are in the ‘modules’ directory, to enable or disable a module you have to modify the xplico.cfg file (by default in ./config/ directory) The GeoMap file (kml) for Google Earth is updated every 30 sec.
./xplico -g give you a graph of relations between the dissectors.
Start xplico service
service xplico start
Go to http://localhost:9876
Use credential xplico:xplico
Create new Case
Click on the session, create a new session
Choose your session
Choose interface
Enjoy!
You can upload .pcap file for dissecting
Network Forensic Analysis ToolSource: https://github.com/xplico/