Xplico Wiki

api

Mon, 23 Aug 2010 12:07:26 -0700

Xplico API This section contains docstrings that could be used in source code (Doxygen), so they should just rest here temporarily until they are included in the source code (so HTML API documentation could be generated automatically, instead of being on a page like this).

architecture

Mon, 23 Aug 2010 11:10:48 -0700

Xplico System is composed from four macro-components: * a Decoder Manager called Dema * an IP/network decoder called Xplico * a set of applications called Manipulators for the manipulation of decoded data * a visualization system to view data extracted

building

Sun, 08 Apr 2012 00:53:04 -0700

Xplico use source code, libraries, database and applications of other projects, some of those are inside Xplico code but other no, therefore to build Xplico (system) with all features it is necessary download (compile/install) these software: * Xplico source code: SorceForge or BerliOS * GeoIP C API version 1.4.8: GeoIP C API (Optional ) * GeoLite City database : MaxMind (Optional ) * GhostPCL last version: GhostPCL (Optional ) * Videosnarf last version: Videosnarf (Optional )

building_a_basic_dissector_module_over_tcp

Mon, 05 Mar 2012 15:17:46 -0700

This page will provide you with all of the basic information required to create an Xplico dissector for a protocol that uses TCP (e.g. HTTP, Telnet, FTP, etc). The page will walk you through a step-by-step tutorial of creating a basic dissector for a made up HELLOWORLD protocol. This tutorial was based off of Xplico 0.7.1.

configs

Tue, 10 Nov 2009 10:02:17 -0700

The configuration file of Xplico defines: * the dissectors to use * the log level for each dissector * the directory to put all temporary files * the name of log file * the dispatcher to use * the connections with manipulators The default path locations of configurations files are:

console_mode

Sat, 14 Nov 2009 01:53:48 -0700

We describe here only console-mode modality, if you use Web interface then you have to see Web Interface page. Xplico in console-mode permit you to decode a single pcap file, directory of pcap files or decode in real-time from an ethernet interface (eth0, eth1, …). To select the input type you have to use '-m' option. The '-m' option permit you to load a particular xplico capture interface (Capture modules).

decoder

Fri, 06 Aug 2010 16:36:27 -0700

Xplico as network decoder is designed to be used either stand-alone or within architecture. The main characteristics of the decoder are its high modularity, scalability and configurability. The decoder has been designed so that the decoding of the protocol had to be disconnected from the formatting of data (raw) input, and also the format used for data output (reconstruction).

dema

Sat, 17 Oct 2009 08:41:04 -0700

The Dema has the following duties: * organize the input data * set the configuration, history files for the decoder and the manipulators * launch decoder and manipulators * control the execution of decoder and manipulators

developer_tutorials

Fri, 02 Mar 2012 14:47:14 -0700

Tutorials will be added periodically. * Building A Basic Dissector Module (over tcp) (in progress) * Testing And Debugging A Dissector Module (coming soon)

doing_a_deb_package

Mon, 26 Oct 2009 04:55:11 -0700

For creating a .deb package for Xplico, follow these instructions: 1º) Download the source code #wget http://developer.berlios.de/project/showfiles.php?group_id=8919 (Choose i.e. xplico-0.5.4.tgz or later) 2º) Untar it # tar xvfz xplico-0.5.4.tgz # cd xplico

faq

Sun, 06 May 2012 23:28:52 -0700

1º) Xplico's sniffer is a new sniffer using pcap or are you using tshark or tcpdump? Xplico is written from scratch, it does not use tshark or tcpdump. And not born as sniffer. It makes no sense to use it live mode. 2º) Is there anyway to save at the same time the decoded traffic and in PCAP format? No directly. In Xplico the packets can not be copied and sent to two separate dissector (structural constraint). For decoding in real time the module is rltm (-m rltm), but it possible to lose pac…

helloworld_protocol

Fri, 02 Mar 2012 12:43:10 -0700

This page defines the HELLOWORLD protocol for which a basic dissector module will be created for. Protocol Definition helloworldstarts (16 byte protocol string) (8 byte message) helloworldending (16 byte protocol string) TCP socket connection:

interface

Tue, 11 Jan 2011 22:54:26 -0700

The Xplico Interface is developed in PHP and it is based to CakePHP framework. This interface can use or SQLite database or MySQL database, at the moment only SQLite dispatcher is completed and tested in Xplico decoder. MySQL database dispatcher and XI configuration file for MySQL can be obtained from iSerm.

modules

Wed, 18 Aug 2010 09:24:48 -0700

Xplico reads in traffic data (capture modules), dissects information from this data according to protocols (dissector modules), and then dispatches the information to a desired output destination (dispatcher modules). Every part of the decoder is a plugin and then a module. In Xplico (decoder), we distinguish between three types of modules:

pcap-over-ip

Tue, 14 Feb 2012 01:23:29 -0700

Starting from Xplico 1.0.0 we added the feature PCAP-over-IP. From the Xplico Interface you can view the port number where the PCAP-over-IP is enabled. If Xplico server has IP 192.168.0.195 then to transfer the file my_file.pcap the command is: cat my_file.pcap | nc 192.168.0.195 30001

scripts

Sat, 09 Apr 2011 02:28:18 -0700

session_mng.pyc From release 0.6.2 there is a new tool to facilitate the creation of new case and/or new session from command line. This tool is compatible with the SQLite and MySQL DB (lite and ximysql dispatchers and XI). The tool path is /opt/xplico/script/session_mng.pyc and its use is very simple.

testing_and_debugging_a_dissector_module

Fri, 02 Mar 2012 13:50:39 -0700

tips_tricks

Fri, 10 Feb 2012 06:17:27 -0700

From 0.6.2 version there is a new script named session_mng.pyc to facilitate management, for older versions read below. If you have GB or TB of data to be decoded then the steps are these (obviously after installing Xplico and XI): sudo su cd /opt/xplico rm -rf pol_* rm xplico.db cd /opt/xplico/script/db/sqlite2 ./create_xplico_db.sh

tutorial

Tue, 28 Feb 2012 23:56:43 -0700

Xplico 1.0.0 * How to update the DB (SQLite or/and MySQL) * Step by Step Xplico Installation (from source code) * Command line to create new session and case, useful with XI * Ubuntu 11.04 or higher installation Xplico 0.7.0 and 0.7.1 * Step by Step Xplico Installation * Command line to create new session and case, useful with XI

ubuntu

Wed, 02 May 2012 14:58:33 -0700

You have two possibility: Xplico Repository If you are using Ubuntu 11.04, 11.10 or 12.04 then you can use our repository: sudo bash -c 'echo "deb http://repo.xplico.org/ $(lsb_release -s -c) main" >> /etc/apt/sources.list' sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 791C25CE sudo apt-get update sudo apt-get install xplico

web_interface

Mon, 13 Dec 2010 22:42:51 -0700

With this interface it is possible to create new case, introduce new capture file, view all data extracted by the decoder. First we have to log in: [Login page] the default user is xplico and the password is xplico. User administrator: admin -> xplico

xplico

Wed, 15 Feb 2012 09:10:48 -0700

This is the wiki site of Xplico Network Forensic Analysis Tool (NFAT). This application is still under heavy development, so it is possible that you will encounter a bug while using it. Don't hesitate to report bugs to bug[@]xplico.org and/or use the forum. Every feature requests and comments are well come.