[[tips_tricks]]
 
Trace: » xplico » 0.5.6 » tips_tricks
You are here: xplico » tips_tricks
Table of Contents

How to decode large amounts of data

If you have GB or TB of data to be decoded then the steps are these (obviously after you install Xplico and XI): 

sudo su
cd /opt/xplico
rm -rf pol_*
rm xplico.db
cd /opt/xplico/script/db/sqlite2
./create_xplico_db.sh

with XI create ONLY one case and inside this case ONLY one session. Now run DEMA (decoding manager): 

/opt/xplico/script/sqlite_demo.sh

At this point copy all your pcap files (at any time even on a daily basis) in this directory (file names must be in alphabetical order with the time of capture) : 

/opt/xplico/pol_1/sol_1/new/

With the DB sqlite decoding is very slow. In CLI you have the highest speed, but the data extracted are more difficult to read and view.

XI and live capture

If you are using 0.5.3 (or newer) version of Xplico then you can select live capture when create a 'Case' from XI.

For old version of Xplico to use XI in live capture you follow these steps:

  • remove /opt/xplico/xplico.db
  • remove all /opt/xplico/pol
  • exec: 
    cd /opt/xplico/script/db/sqlite2
./create_xplico_db.sh
  • with XI create only one case
  • inside this case create only one listening sessions (sol)

At this point if you go in /opt/xplico/script you can find the script rt_demo.sh. Edit this file changing the network interface in tcpdump command and after run the script (as root) . Remember: do NOT run sqlite_demo.sh

Disable checksum verification

To disable all checksum verfication, it is necessary to use the config file “xplico_cli_nc.cfg”. Ie: 

cp /opt/xplico/cfg/xplico_cli.cfg /opt/xplico/cfg/xplico_cli.CHECKSUM_ACTIVATED.cfg
cp /opt/xplico/cfg/xplico_install_lite.cfg /opt/xplico/cfg/xplico_install_lite.CHECKSUM_ACTIVATED.cfg
cp /opt/xplico/cfg/xplico_cli_nc.cfg /opt/xplico/cfg/xplico_cli.cfg
cp /opt/xplico/cfg/xplico_install_lite_nc.cfg /opt/xplico/cfg/xplico_install_lite.cfg

Decoding loopback interface

Just disable checksum verification.

Getting a list of files created from decoding traffic

For third applications may be useful to know which files have Xplico created in the decoded folder. To activate this feature in compilation: 

make CLI_LIST=1

The file /opt/xplico/lastdata.txt will be written each few seconds. Your application can move it to another folder and process the paths included in it, and Xplico will create again that file with the new paths from that moment (Xplico appends paths to that file, so it is easy to have an automatic process, and the file won't grow dramatically). To get one “lastdata.txt” per solution (at its “pol_xy” folder), change 

XS_ONE_FILE_PATHS=1

at “dispatch/lite/lite.h” before compiling.

In version 0.5.3 it only works in xplico_cli: # xplico -m [rltm/pcap] -[i eth0/f file.pcap]

 
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution-Noncommercial-Share Alike 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki