Xplico: network traffic monitoring tools

by do son · Published · Updated

Network Forensic Analysis Tool

Xplico

Xplico is a Network Forensic Analysis Tool (NFAT).
The goal of Xplico is extracted from internet traffic to capture the data of the application contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP, RTP), IRC, MSN…
Xplico is able to classify more than 140 (application) protocols.
Xplico can be used as a sniffer-decoder if used in “live mode” or in conjunction with netsniff-ng.

Install

Usage

Xplico in console-mode permits you to decode a single pcap file, directory of pcap files, or decode in real-time from an ethernet interface (eth0, eth1, …). To select the input type you have to use the -m option. The ‘-m’ option permit you to load a particular xplico capture interface (capture-module). The possible capture interfaces are ‘pcap’ and ‘rltm’. If you run “./xplico -h -m pcap” you have the help of the use of pcap interface, obviously “./xplico -h -m rltm’ give you help to use real-time interface. In console-mode all files extracted by xplico are placed in the ‘tmp/xplico/’ directory, every protocol has a particular directory, and inside this directory, you can find the decoding data. For example:

  • if you have to decode test.pcap, you have to launch this command: ./xplico -m pcap -f test.pcap at the end of decoding your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, … and kml file (Google Earth) is in xdecode/ip/
  • if you have to decode a directory “/tmp/test” where inside there are many pcap files you have to launch this command: ./xplico -m pcap -d /tmp/test at the end of decoding your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, … and kml file (Google Earth) is in xdecode/ip/
  • if you have to decode eth0 in real-time the command is ./xplico -m rltm -i eth0 to break acquisition: ^C. At the end of decoding (decoding is in realtime) your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, … and kml file (Google Earth) is in xdecode/

Xplico has many decoding modules, these modules are in the ‘modules’ directory, to enable or disable a module you have to modify the xplico.cfg file (by default in ./config/ directory) The GeoMap file (kml) for Google Earth is updated every 30 sec.

./xplico -g give you a graph of relations between the dissectors.

Start xplico service

service xplico start

Go to http://localhost:9876

Use credential xplico:xplico

Create new Case

Click on the session, create a new session

Choose your session

Choose interface

Enjoy!

You can upload .pcap file for dissecting

Network Forensic Analysis Tool

Source: https://github.com/xplico/

Tags: Network Forensic Analysis ToolXplico