1º) Xplico's sniffer is a new sniffer using pcap or are you using tshark or tcpdump?

Xplico is written from scratch, it does not use tshark or tcpdump. And not born as sniffer. It makes no sense to use it live mode.

2º) Is there anyway to save at the same time the decoded traffic and in PCAP format?

No directly. In Xplico the packets can not be copied and sent to two separate dissector (structural constraint). For decoding in real time the module is rltm (-m rltm), but it possible to lose packets because it may be that the Xplico average processing time for a single packet it is greater than the average number of packets per second. Anyway, an alternative solution is using another sniffer and use Xplico just for decoding:

mkfifo p.cpap
tcpdump -s0 -A -w b.cpap -i eth0 -p &
tail -f b.cpap > p.cpap
./xplico -m pcap -f p.cpap

3º) What about the traffic of not supported protocols (today) by xplico? i.e. telnet, is there any way to save this traffic too?

All flows (packets) come to two dissectors: tcp_grb.c and udp_grb.c. In these two dissectors the data (packets) is thrown away. But if you change the define: #define GRB_FILE 0 in #define GRB_FILE 1 the data will be saved to pcap file (one file for each flow).

4ª) Is there any how-to or example for creating a protocol decoder?

At this time: no. Depends on the protocol you want to do. In Xplico a dissector is classified with two different kinds. First type:

  1. packet dissector (example: IP, TCP, UDP, ETH, PPP, …)
  2. flow dissector (example: HTTP, POP, …)

Second type:

  1. node flow dissector (ie: the dissector “identifies flows”)
  2. or not

TCP is a packet dissector and node flow dissector. IP is a packet dissector but not node flow dissector. HTTP is a flow dissector but not node flow dissector.

Usually dissectors of application protocols are flow dissector but not node flow dissector. The best example is the source code of the TFTP. This is a protocol that requires multiple streams (the data come from different tuple). Many dissectors (leaf dissector) define the PEI (Information protocol elements). You can view the PEI off all dissector with this command: ./xplico -i http ./xplico -i pop … Each PEI is delivered to Dispatcher (module dispatcher). The dispatcher for cli does nothing. The dispatcher for XI populate the sqlite DB. In practice, Pei is the data (extracted) standardized. Everyone can easily develop their Dispatcher without know or modify protocol dissectors. Not all dissectors have the PEI, but all dissectors have protocol stack info (./xplico -i http), used to create dependencies (heuristics or not) between a dissector and another. ./xplico -g (to view dependecies)

5ª) I have problems dissecting a capture, how can i debug it?

Xplico generates the log files named war_*.xml or error_*.xml, this xml files are many useful for debug if you use the command (system/script):
./xml2pcap.php <xml_file> <output_file> (tshark is necessary)

you can get just the pcap file (<output_file>) with only the streams (data) that generate the log (<xml_file> ). Each XML file has an index (the first number of file name ie x in war_x or err_x_), each index corresponds to a line in the log file (xplico_y_m_d.log) in this line the index is in parentheses. Example:

xml file: warn_1_1253080327.xml → index 1
log file: warning line (xml is a warning): 07:52:07 [http]{20}-WARNING: (1) Packets lost in body response

This makes easy debugging (xml2pcap.php), if and only if there are logs in the module (dissector).

6ª) Why the upload of pcap file fails?

The size of files that you can upload depends on the settings of PHP-Apache. In file php.ini (Ubuntu: /etc/php5/apache2/php.ini) there are two values that determine the maximum size of file:

  1. post_max_size
  2. upload_max_filesize

To upload a file of 100M byte the settings must be:

  1. post_max_size = 100M
  2. upload_max_filesize = 100M

In some Linux distributions, as Backtract4, you must change permissions doing a “chmod -R 777 /tmp”.

7ª) When creating a new case i get a "Please correct errors below."

Check /opt/xplico permissions. A “chmod -R 777 /opt/xplico” never fails.

8ª) Xplico has done a connection to projects.xplico.org, what is that for??

Don't get panic. In old versions an image of the web interface to advise than there is a new release was requested to an external server (http://projects.xplico.org/version/xplico_0.5.png). Xplico doesn't send any information to any server. Xplico is GNU, you can check the code before compiling it. In newer versions this image has been removed.

9ª) Why Xplico has blank page at login?

For anyone experiencing this problem, make sure to install the php5-sqlite package.

10ª) Why Xplico so slow?

Xplico uses SQLite as DB and if there are many contents to insert in the DB then the speed drops. A solution is to disable ARP protocol, and other solution is to use MySQL as DB.

11ª) Why session_mng.pyc gives me an error ?

session_mng.pyc is a Python3 script and it uses httplib2 python library, if this library is not installed session_mng.py gives an error. To resolve the problem you must install httplib2. If your Linux distribution do not give you the python3-httplib2 package then you can flow this steps.

12ª) How do I access Xplico with a hostname instead of IP address ?

Xplico has embedded (in its PHP code) a Http-proxy, this proxy is used to show the web pages, emulating, for example, the original cache of the user. By default the XI url must be an IP address (wiki: http://wiki.xplico.org/doku.php?id=interface#browser ), the only exception to this rule is the url http://demo.xplico.org (for obvious reasons). If you use as url a name (not an ip) then XI give you a blank page, because XI searches your url in the decoded data.

To change this behavior you must modify the PHP code:

  • file /opt/xplico/xi/cake/dispatcher.php
  • replace demo.xplico.org with your host name (used in the url)
 
Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki