Console Mode

We describe here only console-mode modality, if you use Web interface then you have to see Web Interface page.

Xplico in console-mode permit you to decode a single pcap file, directory of pcap files or decode in real-time from an ethernet interface (eth0, eth1, …).
To select the input type you have to use '-m' option. The '-m' option permit you to load a particular xplico capture interface (Capture modules).

The possible capture interfaces are 'pcap' and 'rltm'. If you run “./xplico -h -m pcap” you have an help of use of pcap interface, obviously “./xplico -h -m rltm” give you an help to use real-time interface. In console-mode all file extracted by xplico are placed, by default, in ‘xdecode’ directory. Every source IP and protocol has a particular directory, and inside this directory you can find the decoding data.
For example if the PC with IP 192.168.1.123 sent an email and the PC with IP 192.168.1.159 has visited the sites www.iserm.com and www.xplico.org then the xdecode directory tree is so:

xdecode/
        |-192.168.1.123/
        |               `-email/
        |                       |-in/
        |                       `-out/
        |
        `-192.168.1.159/
                        `-http/
                               |-www.iserm.com
                               `-www.xplico.org

Examples of use

  • if you have to decode test.pcap, you have to launch this command:
    ./xplico -m pcap -f test.pcap

    at the end of decoding your files are in xdecode/<ip>/http, xdecode/<ip>/mail, xdecode/<ip>/ftp, … and kml file (Google Earth) is in xdecode/

  • if you have to decode a directory “/tmp/test” where inside there are many pcap files you have to launch this command:
    ./xplico -m pcap -d /tmp/test

    at the end of decoding your files are in xdecode/<ip>/http, xdecode/<ip>/mail, xdecode/<ip>/ftp, … and kml file (Google Earth) is in xdecode/

  • if you have to decode eth0 in real-time the command is:
    ./xplico -m rltm -i eth0

    to break acquisition: ^C. At the end of decoding (decoding is in real-time) your files are in xdecode/<ip>/http, xdecode/<ip>/mail, xdecode/<ip>/ftp, … and kml file (Google Earth) is in xdecode/

Xplico has many decoding modules, these modules are in modules directory, to enable or disable a module you have to modify the xplico.cfg file (by default in ./config/ directory).
The GeoMap file (kml) for Google Earth is updated every 30 sec.

Dissectors graph

The command:

./xplico -g

give you a graph of relations between the dissectors, obviously for only dissectors enabled.

Dissectors Information

The command:

./xplico -i <protocol>

give you all information of dissector named protocol.

 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution 4.0 International
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki