Xplico Interface

With this interface it is possible to create new case, introduce new capture file, view all data extracted by the decoder.
First we have to log in: the default user is xplico and the password is xplico.
User administrator: admin → xplico

At this point we have to create a new case. In Xplico the case coincides with listening point (capture point in the network), this because the Xplico system (decoding manager, decoder, manipulators, …) try to correlate the data extracted, to:

• emulate browser cache
• reconstruct P2P files (downloaded in many days)
• reconstruct files downloaded with tool similar at DownThemAll
• … and so on

For every case we have to define:

• a name (Unique is better)
• the source of data, or whether from files or from network interface
• optionally an external reference. This external reference can help you to locate the repository of this new case.

At this point we have a list of all cases created.

A case is composed of one or more sessions, then selecting a case we enter in sessions page. In Xplico each session contains the data acquired in a specific time interval, the time intervals of each session must be disjoint and each stating time of a session must be greater or equal than the ending time of previous session.
To create a new session inside a case we have to click “New sol” button. A session is defined only by a name: session name

As mentioned, every case can have more than one session.

Selecting the session we will enter in the summary page of data decoded for this session.

At each session we can introduce one or more capture file. This can be made with “Pcap set” form.

Clicking on the “List” we will get the list of data entered.
In “Session Data” we report the name of case and the session, the time of start and end of data entered.

In “Session Data” you can also select the source host and see the data of this host.

If you have create a “Live Capture Case” then you can select the network interface and start/stop acquisition, from Session page of XI.

The email page presents a list of all emails sent and received

with:

• the time of dispatch
• the subject
• the sender
• the receivers, even if sent as bcc
• the size of email (attached included)

The search form permit us to find email by subject, receivers and sender.
Selecting one of the email you see it even if it is in html and contains files attached.

For each email we can obtain the PCAP with only the flow that contains it. To do that we have to point the mouse upon the info line and click pcap link.

Entering in Web menù we can view all HTTP contents of the session. We can select or serarch a content.

Clicking on a link will open a new page (separated), in which, with Xplico System, will rebuild the full url of that page, contained in pcap decoded. Xplico System simulate the original cache of the browser, of course if the pcap (in all sessions of case) contain the data to simulate the cache.
Everything works if and only if the proxy is enabled in Firefox and it is pointing to the server that runs Xplico System.

Besides, for each contents we can examine the request header, response header and the body by clicking upon method link.
It is possible to achieve the pcap with inside only the flow that transport the content.

If content is a video (flv format) we can directly see the video, clicking the url.

To get an overview of all images transported by HTTP protocol we can access to the menu Images.

In this page we can view a list of all document printed with network printer that use the “Printer Command Language”. Every document is converted in pdf format.

The pages of FTP and TFTP are similar.
In the main page we can see the list of all connections to the ftp/tftp server, with the corresponding number of files downloaded and uploaded..

For every server, clicking on the link, we can see the information of server, user name, password, commands, files downloaded and files uploaded.

For each file you can have the corresponding pcap file that contains only the packets to the file.

You can also examine all the commands exchanged with the server.

The DNS page displays all the DNS responses without error, listing the Canonical name if it exist and the first IP of response. Again you can do research or to host or IP.

From the link Graphs in the main DNS page it possible represent with the graph the statistics of DNS responses, or view the chart of the 50 most popular host.

Most popular host.

If the MMS messages (Multimedia Messaging Service) are transported bye HTTP protocol then Xplico decoder can decompose the MMS message into its content, ie text, video and images.
The main page of MMS reports the list of MMS decoded,

clicking on the link we can see the content of the message.

If you have the MMS message in the binary (raw) form, then you can decode it with mmsdec tool.

During a session decoding Xplico produces a KML file, this file, used with Google Earth, allows you to have a temporal and geographical map of connections decoded by Xplico.