|Developer(s)||Gianluca Costa & Andrea de Franceschi|
|Stable release||1.1.0 / December 27, 2013|
|Written in||C, PHP, Python|
|License||GNU General Public License|
Unlike the protocol analyzer, whose main characteristic is not the reconstruction of the data carried by the protocols, Xplico born expressly with the aim to reconstruct the protocols's application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI).
To clarify what Xplico does we can imagine to have the raw data (Ethernet or PPP) of a web navigation (HTTP protocol), in this case Xplico is able to extract and reconstruct all the Web pages and contents (images, files, cookies, and so on). Similarly Xplico is able to reconstruct the e-mail exchanged with the IMAP, POP and SMTP protocols.
The Xplico's software architecture provides:
- an input module to handle data input (from probes or packet sniffer)
- an output module to organize the decoded data and presenting them to the end user
- a set of decoding modules, called protocol dissector for the decoding of the individual network protocol
With the output module Xplico can have different user interfaces, in fact it can be used from command line and from a web user interface called "Xplico Interface". The protocol dissector is the modules for the decoding of the individual protocol, each protocol dissector can reconstruct and extract the data of the protocol.
All modules are plug-in and, through the configuration file, they can be loaded or not during execution of the program. This allows to focus the decoding, that is, if you want to decode only VoIP calls but not the Web traffic then you configure Xplico to load only the RTP and SIP modules excluding the HTTP module.
Large scale pcap data analysis
Another feature of Xplico is its ability to process (reconstruct) huge amounts of data, it is able to manage pcap files of many Gbyte and also Tbyte and from multiple capture probes simultaneously, this thanks to the use of various types of "input modules". The pcap files can be uploaded in many way, directly from the Xplico Web user interface or with a SFTP or with a transmission channel called PCAP-over-IP.
Xplico and also its specific version called pcap2wav is able to decode VoIP calls based on the RTP protocol (SIP, H323, MGCP, SKINNY) and supports the decodidica of audio codecs G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA (Microsoft's Real-time audio).
Basic commands working from command line
In these examples, it is assumed that eth0 is the used network interface.
- real-time acquisition and decoding:
xplico -m rltm -i eth0
- decoding of a single pcap file:
xplico -m pcap -f example.pcap
- decoding a directory which contains many files pcap
xplico -m pcap -d /path/dir/
in all cases the data decoded are stored in the a directory named xdecode. With the parameter -m we can select the "input module" type. The input module named rltm acquires the data directly from the network interface, vice versa the input module named pcap acquires data form pcap files or directory.
- Kali Linux,
- Security Onion
- CERT Linux Forensics Tools Repository.
- "ISSA Journal". Retrieved June 2012.
- "Xplico License".
- Gabriele Faggioli, Andrea Ghirardini (2009). Computer Forensics. Italy: Apogeo. pp. 5, 227, 278, 369–370. ISBN 978-88-503-2816-1.
- "On detecting Internet-based criminal threats (European FP7-SEC Project INDECT)". Retrieved 2010.
- "Sistema de interceptación y análisis de comunicaciones) |".
- Cameron H. Malin, Eoghan Casey BS MA (2012). Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides. ISBN 978-1597494724.
- pcap2wav Xplico interface http://www.xplico.org/archives/1287
- Kali, Xplico as a package.
- "Backtrack 5".
- "Projects DEFT Linux".
- "Linux Forensics Tools Repository".