With this interface it is possible to create new case, introduce new capture file, view all data extracted by the decoder.
First we have to log in: the default user is xplico and the password is xplico.
User administrator: admin → xplico
At this point we have to create a new case. In Xplico the case coincides with listening point (capture point in the network), this because the Xplico system (decoding manager, decoder, manipulators, …) try to correlate the data extracted, to:
For every case we have to define:
At this point we have a list of all cases created.
A case is composed of one or more sessions, then selecting a case we enter in sessions page. In Xplico each session contains the data acquired in a specific time interval, the time intervals of each session must be disjoint and each stating time of a session must be greater or equal than the ending time of previous session.
To create a new session inside a case we have to click “New sol” button. A session is defined only by a name: session name
As mentioned, every case can have more than one session.
Selecting the session we will enter in the summary page of data decoded for this session.
At each session we can introduce one or more capture file. This can be made with “Pcap set” form.
Clicking on the “List” we will get the list of data entered.
In “Session Data” we report the name of case and the session, the time of start and end of data entered.
In “Session Data” you can also select the source host and see the data of this host.
If you have create a “Live Capture Case” then you can select the network interface and start/stop acquisition, from Session page of XI.
The email page presents a list of all emails sent and received
The search form permit us to find email by subject, receivers and sender.
Selecting one of the email you see it even if it is in html and contains files attached.
For each email we can obtain the PCAP with only the flow that contains it. To do that we have to point the mouse upon the info line and click pcap link.
Entering in Web menù we can view all HTTP contents of the session. We can select or serarch a content.
Clicking on a link will open a new page (separated), in which, with Xplico System, will rebuild the full url of that page, contained in pcap decoded. Xplico System simulate the original cache of the browser, of course if the pcap (in all sessions of case) contain the data to simulate the cache.
Everything works if and only if the proxy is enabled in Firefox and it is pointing to the server that runs Xplico System.
Besides, for each contents we can examine the request header, response header and the body by clicking upon method link.
It is possible to achieve the pcap with inside only the flow that transport the content.
If content is a video (flv format) we can directly see the video, clicking the url.
In this page we can view a list of all document printed with network printer that use the “Printer Command Language”. Every document is converted in pdf format.
The pages of FTP and TFTP are similar.
In the main page we can see the list of all connections to the ftp/tftp server, with the corresponding number of files downloaded and uploaded..
For every server, clicking on the link, we can see the information of server, user name, password, commands, files downloaded and files uploaded.
For each file you can have the corresponding pcap file that contains only the packets to the file.
You can also examine all the commands exchanged with the server.
The DNS page displays all the DNS responses without error, listing the Canonical name if it exist and the first IP of response. Again you can do research or to host or IP.
From the link Graphs in the main DNS page it possible represent with the graph the statistics of DNS responses, or view the chart of the 50 most popular host.
Most popular host.
If the MMS messages (Multimedia Messaging Service) are transported bye HTTP protocol then Xplico decoder can decompose the MMS message into its content, ie text, video and images.
The main page of MMS reports the list of MMS decoded,
clicking on the link we can see the content of the message.
If you have the MMS message in the binary (raw) form, then you can decode it with mmsdec tool.