Xplico is written from scratch, it does not use tshark or tcpdump. And not born as sniffer. It makes no sense to use it live mode.
No directly. In Xplico the packets can not be copied and sent to two separate dissector (structural constraint). For decoding in real time the module is rltm (-m rltm), but it possible to lose packets because it may be that the Xplico average processing time for a single packet it is greater than the average number of packets per second. Anyway, an alternative solution is using another sniffer and use Xplico just for decoding:
mkfifo p.cpap
tcpdump -s0 -A -w b.cpap -i eth0 -p &
tail -f b.cpap > p.cpap
./xplico -m pcap -f p.cpap
All flows (packets) come to two dissectors: tcp_grb.c and udp_grb.c. In these two dissectors the data (packets) is thrown away. But if you change the define: #define GRB_FILE 0 in #define GRB_FILE 1 the data will be saved to pcap file (one file for each flow).
At this time: no. Depends on the protocol you want to do. In Xplico a dissector is classified with two different kinds. First type:
Second type:
TCP is a packet dissector and node flow dissector. IP is a packet dissector but not node flow dissector. HTTP is a flow dissector but not node flow dissector.
Usually dissectors of application protocols are flow dissector but not node flow dissector. The best example is the source code of the TFTP. This is a protocol that requires multiple streams (the data come from different tuple). Many dissectors (leaf dissector) define the PEI (Information protocol elements). You can view the PEI off all dissector with this command: ./xplico -i http ./xplico -i pop … Each PEI is delivered to Dispatcher (module dispatcher). The dispatcher for cli does nothing. The dispatcher for XI populate the sqlite DB. In practice, Pei is the data (extracted) standardized. Everyone can easily develop their Dispatcher without know or modify protocol dissectors. Not all dissectors have the PEI, but all dissectors have protocol stack info (./xplico -i http), used to create dependencies (heuristics or not) between a dissector and another. ./xplico -g (to view dependecies)
Xplico generates the log files named war_*.xml or error_*.xml, this xml files are many useful for debug if you use the command (system/script):
./xml2pcap.php <xml_file> <output_file> (tshark is necessary)
you can get just the pcap file (<output_file>) with only the streams (data) that generate the log (<xml_file> ). Each XML file has an index (the first number of file name ie x in war_x or err_x_), each index corresponds to a line in the log file (xplico_y_m_d.log) in this line the index is in parentheses. Example:
xml file: warn_1_1253080327.xml → index 1
log file: warning line (xml is a warning): 07:52:07 [http]{20}-WARNING: (1) Packets lost in body response
This makes easy debugging (xml2pcap.php), if and only if there are logs in the module (dissector).
The size of files that you can upload depends on the settings of PHP-Apache. In file php.ini (Ubuntu: /etc/php5/apache2/php.ini) there are two values that determine the maximum size of file:
To upload a file of 100M byte the settings must be:
In some Linux distributions, as Backtract4, you must change permissions doing a “chmod -R 777 /tmp”.
Check /opt/xplico permissions. A “chmod -R 777 /opt/xplico” never fails.
Don't get panic. In old versions an image of the web interface to advise than there is a new release was requested to an external server (http://projects.xplico.org/version/xplico_0.5.png). Xplico doesn't send any information to any server. Xplico is GNU, you can check the code before compiling it. In newer versions this image has been removed.
For anyone experiencing this problem, make sure to install the php5-sqlite package.
Xplico uses SQLite as DB and if there are many contents to insert in the DB then the speed drops. A solution is to disable ARP protocol, and other solution is to use MySQL as DB.
session_mng.pyc is a Python3 script and it uses httplib2 python library, if this library is not installed session_mng.py gives an error. To resolve the problem you must install httplib2. If your Linux distribution do not give you the python3-httplib2 package then you can flow this steps.
Xplico has embedded (in its PHP code) a Http-proxy, this proxy is used to show the web pages, emulating, for example, the original cache of the user. By default the XI url must be an IP address (wiki: http://wiki.xplico.org/doku.php?id=interface#browser ), the only exception to this rule is the url http://demo.xplico.org (for obvious reasons). If you use as url a name (not an ip) then XI give you a blank page, because XI searches your url in the decoded data.
To change this behavior you must modify the PHP code: