Xplico
   HOME

TheInfoList



Click Here for Items Related To - Xplico
OR:
Xplico on:   [Wikipedia]   [Google]   [Amazon]

Xplico is a
network forensics Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, ...
analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a
packet sniffer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...
(e.g.
Wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 d ...
,
tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distribut ...
,
Netsniff-ng netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING), so that the Linux kernel does not need ...
). Unlike the
protocol analyzer A protocol analyzer is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Such a channel varies from a local computer bus to a satellite link, that provides a means of communication usi ...
, whose main characteristic is not the reconstruction of the data carried by the protocols, Xplico was born expressly with the aim to reconstruct the protocol's application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI). The name "xplico" refers to the
Latin Latin (, or , ) is a classical language belonging to the Italic branch of the Indo-European languages. Latin was originally a dialect spoken in the lower Tiber area (then known as Latium) around present-day Rome, but through the power of the ...
verb explico and its significance. Xplico is
free and open-source software Free and open-source software (FOSS) is a term used to refer to groups of software consisting of both free software and open-source software where anyone is freely licensed to use, copy, study, and change the software in any way, and the source ...
, subject to the requirements of the
GNU General Public License The GNU General Public License (GNU GPL or simply GPL) is a series of widely used free software licenses that guarantee end users the Four Freedoms (Free software), four freedoms to run, study, share, and modify the software. The license was th ...
(GPL), version 2.


Overview

To clarify what Xplico does we can imagine to have the raw data (
Ethernet Ethernet () is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 198 ...
or PPP) of a web navigation (
HTTP The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, ...
protocol), in this case Xplico is able to extract and reconstruct all the Web pages and contents (images, files, cookies, and so on). Similarly Xplico is able to reconstruct the e-mail exchanged with the
IMAP In computing, the Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. IMAP is defined by . IMAP was designed with the goal of per ...
, POP, and
SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typical ...
protocols. Among the protocols that Xplico identifies and reconstructs there are
VoIP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...
,
MSN MSN (meaning Microsoft Network) is a web portal and related collection of Internet services and apps for Windows and mobile devices, provided by Microsoft and launched on August 24, 1995, alongside the release of Windows 95. The Microsoft Net ...
,
IRC Internet Relay Chat (IRC) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called '' channels'', but also allows one-on-one communication via private messages as well as chat an ...
, HTTP, IMAP, POP, SMTP, and
FTP The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...
.


Features


Software architecture

The Xplico's software architecture provides: * an ''input module'' to handle data input (from probes or packet sniffer) * an ''output module'' to organize the decoded data and presenting them to the end user; and * a set of ''decoding modules'', called ''protocol dissector'' for the decoding of the individual network protocol. With the ''output module'' Xplico can have different user interfaces, in fact it can be used from command line and from a web user interface called "Xplico Interface". The ''protocol dissector'' is the modules for the decoding of the individual protocol, each ''protocol dissector'' can reconstruct and extract the data of the protocol. All modules are plug-in and, through the configuration file, they can be loaded or not during execution of the program. This allows to focus the decoding, that is, if you want to decode only
VoIP Voice over Internet Protocol (VoIP), also called IP telephony, is a method and group of technologies for the delivery of voice communications and multimedia sessions over Internet Protocol (IP) networks, such as the Internet. The terms Internet t ...
calls but not the Web traffic then you configure Xplico to load only the RTP and SIP modules excluding the HTTP module.


Large scale pcap data analysis

Another feature of Xplico is its ability to process (reconstruct) huge amounts of data: it is able to manage pcap files of multiple gigabytes and even terabytes from multiple capture probes simultaneously. This is thanks to the use of various types of "input modules". The pcap files can be uploaded in many ways, directly from the Xplico Web user interface, with a SFTP or with a transmission channel called PCAP-over-IP. For these features Xplico is used in the contexts of
Lawful interception Lawful interception (LI) refers to the facilities in telecommunications and telephone networks that allow law enforcement agencies with court orders or other legal authorization to selectively wiretap individual subscribers. Most countries require ...
and in
Network Forensics Network forensics is a sub-branch of digital forensics relating to the monitoring and analysis of computer network traffic for the purposes of information gathering, legal evidence, or intrusion detection. Unlike other areas of digital forensics, ...
.


VoIP calls

Xplico and also its specific version calle
pcap2wav
is able to decode VoIP calls based on the RTP protocol ( SIP,
H323 H.323 is a recommendation from the ITU Telecommunication Standardization Sector (ITU-T) that defines the protocols to provide audio-visual communication sessions on any packet network. The H.323 standard addresses call signaling and control, m ...
, MGCP, SKINNY) and supports the decodidica of audio codecs G711ulaw, G711alaw, G722, G729, G723, G726, and MSRTA (Microsoft's Real-time audio).


Basic commands working from command line

In these examples, it is assumed that ''eth0'' is the used network interface. * real-time acquisition and decoding: xplico -m rltm -i eth0 * decoding of a single pcap file: xplico -m pcap -f example.pcap * decoding a directory which contains many files pcap xplico -m pcap -d /path/dir/ in all cases the data decoded are stored in the a directory named ''xdecode''. With the parameter ''-m'' we can select the "''input module''" type. The input module named ''rltm'' acquires the data directly from the network interface, vice versa the input module named ''pcap'' acquires data form pcap files or directory.


Distributions

Xplico is installed by default in the major distributions of
digital forensics Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery, investigation, examination and analysis of material found in digital devices, often in relation to mobile devices and co ...
and
penetration testing A penetration test, colloquially known as a pen test or ethical hacking, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. T ...
: *
Kali Linux Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security. Kali Linux has around 600 penetration-testing programs (tools), including Armitage (a gr ...
, *
BackTrack BackTrack was a Linux distribution that focused on security, based on the Knoppix Linux distribution aimed at digital forensics and penetration testing use. In March 2013, the Offensive Security team rebuilt BackTrack around the Debian distr ...
, * DEFT, * Security Onion * Matriux *
BackBox BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing. ...
* CERT Linux Forensics Tools Repository.


See also

*
Comparison of packet analyzers The following tables compare general and technical information for several packet analyzer software utilities, also known as network analyzers or packet sniffers. Please see the individual products' articles for further information. General info ...
*
tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distribut ...
, a
packet analyzer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or p ...
*
pcap In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of ''packet capture'', that is not the API's proper name. Unix-like systems ...
, an
application programming interface An application programming interface (API) is a way for two or more computer programs to communicate with each other. It is a type of software interface, offering a service to other pieces of software. A document or standard that describes how t ...
(API) for capturing network traffic * snoop, a
command line A command-line interpreter or command-line processor uses a command-line interface (CLI) to receive commands from a user in the form of lines of text. This provides a means of setting parameters for the environment, invoking executables and pro ...
packet analyzer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or p ...
included with
Solaris Solaris may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Solaris'' (1972 film), directed by ...
*
wireshark Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, the project was renamed Wireshark in May 2006 d ...
, a network
packet analyzer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or p ...
*
dsniff dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf ...
, a
packet sniffer A packet analyzer, also known as packet sniffer, protocol analyzer, or network analyzer, is a computer program or computer hardware such as a packet capture appliance, that can intercept and log traffic that passes over a computer network or ...
and set of traffic analysis tools *
netsniff-ng netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING), so that the Linux kernel does not need ...
, a free Linux networking toolkit *
ngrep ngrep (network grep) is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library. ngrep supports Berkeley Packet Filter ( BPF) logic to select network sou ...
, a tool that can match regular expressions within the network packet payloads *
etherape EtherApe is a packet sniffer/network traffic monitoring tool, developed for Unix. EtherApe is free, open source software developed under the GNU General Public License. Functionality Network traffic is displayed using a graphical interface. ...
, a network mapping tool that relies on sniffing traffic *
tcptrace tcptrace is a free and open-source tool for analyzing TCP dump files. It accepts as input files produced by packet-capture programs, including tcpdump, Wireshark, and snoop. tcptrace can produce several different types of output containing i ...
, a tool for analyzing the logs produced by tcpdump


References


External links

* {{Official website, http://www.xplico.org/
Xplico Demo Cloud

PCAP2WAV and RTP2WAV Demo Cloud
Free software programmed in C Network analyzers Free network management software Unix network-related software Linux-only free software