The Config file

The configuration file of Xplico defines:

  • the dissectors to use
  • the log level for each dissector
  • the directory to put all temporary files
  • the name of log file
  • the dispatcher to use
  • the connections with manipulators

The default path locations of configurations files are:

  • ./config
  • /opt/xplico/cfg

In console mode (from shell) we can select the configuration file from command line with -c option:

 ./xplico -c <my_config_file> -m pcap -f example.pcap

The configuration file is composed of four parts:

  • dissectors definitions
  • dispatcher definition
  • manipulator connections definitions
  • common definitions

Dissectors definitions

In Xplico all dissectors (all modules) must be on the same directory. This directory is defined by MODULES_DIR param.

 MODULES_DIR=/opt/xplico/bin/modules

A dissector is defined by the MODULE param

 MODULE=dis_ip.so

and the log level of the dissector is defined by LOG parameter, that should be on the same line of dissector definition.

 MODULE=dis_ip.so         LOG=FEWITDS

each letter of the LOG parameter enables a particular log level.

Dispatcher definition

The dispatcher is the component of Xplico that organizes the data, inserting data into a database and in appropriate locations/path.
With Xplico you can create various types of dispatcher to suit your needs.
The dispatchers at moment are:

  • none (disp_none.so): this is a very simple dispatcher (an example of dispatcher), it does not organize the extracted data (the data are left in the temporary dir)
  • lite (disp_lite.so): this dispatcher use SQLite as DB, and it is used for the Live CD that have few resources.
  • cli (disp_cli.so): this dispatcher organize the data reconstructed in directory xdecode, organizing it by IP and protocol type: xdecode/<ip>/http, xdecode/<ip>/mail, xdecode/<ip>/ftp, …
  • ximysql (disp_ximysql.so): this dispatcher use MySQL as DB, and it is used for large amounts of data.

A dispatcher is defined by the DISPATCH param

DISPATCH=disp_none.so

and the log level of the dispatcher is defined by LOG parameter, that should be on the same line of dispatcher definition

DISPATCH=disp_none.so LOG=FEWITDS

each letter of the LOG parameter enables a particular log level.
Only one dispatcher can be defined in the configuration file.

Manipulator connections definitions

Manipulator (Aggregators, Transcoders, Correlations) in Xplico System are applications that organize and correlate the data extracted from the decoder.
There may be more of one manipulator simultaneously active.
Examples of manipulators are:

  • http
  • http fast download (eg to manage DownThemAll)
  • feed reader
  • Web DAV
  • SMB
  • P2P

Xplico (the decoder) connects with a socket connection to the manipulator.
An manipulator connection is defined by three parameters AGGREG, AGHOST and AGPORT in the same line

 AGGREG=http    AGHOST=127.0.0.1  AGPORT=23456

AGGREG define the manipulator protocol type, AGHOST define the IP address where manipulator is running and AGPORT the listening port of manipulator.

Common definitions

With DISPATCH_PARALLEL we can select the elaboration modality of dispatcher.In fact we can select whether or not to run in parallel processing performed by the dispatcher. The choice depends on how we design the dispatcher. With

DISPATCH_PARALLEL=1

the calculations are performed in parallel, with

DISPATCH_PARALLEL=0

the calculations are performed in series.

With CAPTURE_LOG param we can define the log level of capture module.

CAPTURE_LOG=FEWITDS

With CORE_LOG we can define the log level of main code of Xplico (all parts/code without modules)

CORE_LOG=FEWITDS

With LOG_DIR_PATH and LOG_BASE_NAME params we can define the path and the base name of log files

LOG_DIR_PATH=tmp/
LOG_BASE_NAME=xplico

And finally TMP_DIR_PATH define the directory path where to create temporary files

TMP_DIR_PATH=tmp/xplico

Log Levels

Xplico has seven log level. The log levels are represented by a letter, indicating the letter we can enable the appropriate level of log.

Letter Log level
F Fatal
E Error
W Warning
I Infomation
T Trace
D Debug
S Startup/Statistics

If a condition of Fatal, Error or Warning occurs Xplico generates a line of log (if the level is enabled) and a XML file (the line of log identify this xml file). With this XML file and with xml2pcap.php script we can isolate the event that generated the log. The command to use is:

 /opt/xplico/script/xml2pcap.php xml_file.xml isolate.pcap

With this command we have the possibility of having a PCAP with only the data (flows) that have caused the problem. It is easy to guess that this helps us in debugging and development of dissectors.

Example file

An example of configuration file is:

#---------- Config file of xplico

#---------- Modules params
#------ Module directory path

MODULES_DIR=/opt/xplico/bin/modules

#------ Module name and log mask
#---- type of mask:
#---- F -> Fatal
#---- E -> Error
#---- w -> Warning
#---- I -> Information
#---- T -> Trace
#---- D -> Debug
#---- S -> Startup/Statistics
#-- example: MODULE=dis_gian LOG=FEWITS

MODULE=dis_pcapf.so      LOG=FEWITDS
MODULE=dis_pol.so        LOG=FEWITDS
MODULE=dis_lis.so        LOG=FEWITDS
MODULE=dis_eth.so        LOG=FEWITDS
MODULE=dis_ppp.so        LOG=FEWITDS
MODULE=dis_ip.so         LOG=FEWITDS
MODULE=dis_ipv6.so       LOG=FEWITDS
MODULE=dis_tcp.so        LOG=FEWITDS
#MODULE=dis_tcp_soft.so   LOG=FEWITDS
MODULE=dis_udp.so        LOG=FEWITDS
MODULE=dis_http.so       LOG=FEWITDS
MODULE=dis_pop.so        LOG=FEWITDS
MODULE=dis_imap.so       LOG=FEWITDS
MODULE=dis_smtp.so       LOG=FEWITDS
MODULE=dis_httpfd.so     LOG=FEWITDS
MODULE=dis_sip.so        LOG=FEWITDS
MODULE=dis_rtp.so        LOG=FEWITDS
MODULE=dis_sdp.so        LOG=FEWITDS
#MODULE=dis_l2tp.so       LOG=FEWITDS
#MODULE=dis_vlan.so       LOG=FEWITDS
MODULE=dis_ftp.so        LOG=FEWITDS
MODULE=dis_dns.so        LOG=FEWITDS
MODULE=dis_icmp.so       LOG=FEWITDS
MODULE=dis_nntp.so       LOG=FEWITDS
MODULE=dis_irc.so        LOG=FEWITDS
MODULE=dis_ipp.so        LOG=FEWITDS
MODULE=dis_pjl.so        LOG=FEWITDS
MODULE=dis_mms.so        LOG=FEWITDS
MODULE=dis_sll.so        LOG=FEWITDS
MODULE=dis_tcp_grb.so    LOG=FEWITDS
MODULE=dis_udp_grb.so    LOG=FEWITDS



#---------- Dispatch module
#------ Module name
#DISPATCH=disp_xsystem.so LOG=FEWITDS
#DISPATCH=disp_lite.so LOG=FEWITDS
DISPATCH=disp_none.so LOG=FEWITDS
#DISPATCH=disp_embedded.so LOG=FEWITDS

#---- Flag. If 0 the module 'DISPATCH' is called from only one thread,
#----       otherwise (1) any thread of dissector call the 'DISPATCH' function module concorentialy
DISPATCH_PARALLEL=1

#------ Aggregator connection
#AGGREG=http    AGHOST=127.0.0.1  AGPORT=23456



#---------- Log
#---- capture mask
CAPTURE_LOG=FEWITDS

#---- core mask
CORE_LOG=FEWITDS

#---- log directory and name base
LOG_DIR_PATH=tmp/
LOG_BASE_NAME=xplico


#---------- TMP directory path
TMP_DIR_PATH=tmp/xplico
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki