From 0.6.2 version there is a new script named session_mng.pyc to facilitate management, for older versions read below.
If you have GB or TB of data to be decoded then the steps are these (obviously after installing Xplico and XI):
sudo su cd /opt/xplico rm -rf pol_* rm xplico.db cd /opt/xplico/script/db/sqlite2 ./create_xplico_db.sh
with XI create ONLY one case and inside this case ONLY one session. Now run DEMA (decoding manager):
/opt/xplico/script/sqlite_demo.sh
At this point copy all your pcap files (at any time even on a daily basis) in this directory (file names must be in alphabetical order with the time of capture) :
/opt/xplico/pol_1/sol_1/new/
With the DB sqlite decoding is slow. In CLI you have the highest speed, but the data extracted are more difficult to read and view.
If you are using 0.5.3 (or newer) version of Xplico then you can select live capture when create a 'Case' from XI.
For old version of Xplico to use XI in live capture you follow these steps:
cd /opt/xplico/script/db/sqlite2 ./create_xplico_db.sh
At this point if you go in /opt/xplico/script you can find the script rt_demo.sh. Edit this file changing the network interface in tcpdump command and after run the script (as root) . Remember: do NOT run sqlite_demo.sh
From Xplico 0.6.0 you can disable the checksum verification and the single dissectorfrom XI by the administator pages.
For Xplico before 0.6.0 to disable all checksum verfication, it is necessary to use the config file “xplico_cli_nc.cfg”. Ie:
cp /opt/xplico/cfg/xplico_cli.cfg /opt/xplico/cfg/xplico_cli.CHECKSUM_ACTIVATED.cfg cp /opt/xplico/cfg/xplico_install_lite.cfg /opt/xplico/cfg/xplico_install_lite.CHECKSUM_ACTIVATED.cfg cp /opt/xplico/cfg/xplico_cli_nc.cfg /opt/xplico/cfg/xplico_cli.cfg cp /opt/xplico/cfg/xplico_install_lite_nc.cfg /opt/xplico/cfg/xplico_install_lite.cfg
Just disable checksum verification.
For third applications may be useful to know which files have Xplico created in the decoded folder.
The file /opt/xplico/lastdata.txt will be written each few seconds. Your application can move it to another folder and process the paths included in it, and Xplico will create again that file with the new paths from that moment (Xplico appends paths to that file, so it is easy to have an automatic process, and the file won't grow dramatically). To get one “lastdata.txt” per solution (Session in Case: at its “pol_xy” folder), change
XS_ONE_FILE_PATHS=1
at “dispatch/lite/lite.h” before compiling.
In this version for each dispatcher there is a module to enable this feature
From file /opt/xplico/cfg/xplico_cli.cfg (and /opt/xplico/cfg/xplico_cli_nc.cfg) change the line
DISPATCH=disp_cli.so LOG=FEWITDS
to
DISPATCH=disp_cli_list.so LOG=FEWITDS
By configuration pages from XI.
To activate this feature you have to compile the project with this command:
make CLI_LIST=1
In version 0.5.3 it only works in xplico_cli: # xplico -m [rltm/pcap] -[i eth0/f file.pcap]