HOME

TheInfoList



Click Here for Items Related To - Xplico
OR:
Xplico on:   [Wikipedia]   [Google]   [Amazon]

Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a
packet sniffer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can Traffic analysis, analyze and Logging (computing), log traffic that passes over a computer netwo ...
(e.g.
Wireshark Wireshark is a Free and open-source software, free and open-source packet analyzer. It is used for computer network, network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, ...
,
tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distr ...
,
Netsniff-ng netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING), so that the Linux kernel does not need ...
). Unlike the
protocol analyzer A protocol analyzer is a tool (hardware or software) used to capture and analyze signals and data traffic over a communication channel. Such a channel varies from a local computer bus to a satellite link, that provides a means of communication u ...
, whose main characteristic is not the reconstruction of the data carried out by the protocols, Xplico was born expressly with the aim to reconstruct the protocol's application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI). The name "xplico" refers to the
Latin Latin ( or ) is a classical language belonging to the Italic languages, Italic branch of the Indo-European languages. Latin was originally spoken by the Latins (Italic tribe), Latins in Latium (now known as Lazio), the lower Tiber area aroun ...
verb explico and its significance. Xplico is
free and open-source software Free and open-source software (FOSS) is software available under a license that grants users the right to use, modify, and distribute the software modified or not to everyone free of charge. FOSS is an inclusive umbrella term encompassing free ...
, subject to the requirements of the
GNU General Public License The GNU General Public Licenses (GNU GPL or simply GPL) are a series of widely used free software licenses, or ''copyleft'' licenses, that guarantee end users the freedom to run, study, share, or modify the software. The GPL was the first ...
(GPL), version 2.


Overview

Using raw data from
Ethernet Ethernet ( ) is a family of wired computer networking technologies commonly used in local area networks (LAN), metropolitan area networks (MAN) and wide area networks (WAN). It was commercially introduced in 1980 and first standardized in 198 ...
or PPP of a web navigation (
HTTP HTTP (Hypertext Transfer Protocol) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, wher ...
protocol), Xplico extracts application data and reconstructs the contents within a packet. In the case of HTTP protocol: images, files, or cookies would be extracted. Similarly Xplico is able to reconstruct the e-mail exchanged with the
IMAP In computing, the Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. IMAP is defined by . IMAP was designed with the goal of per ...
,
POP Pop or POP may refer to: Arts, entertainment, and media * Pop music, a musical genre Artists * POP, a Japanese idol group now known as Gang Parade * Pop! (British group), a UK pop group * Pop! featuring Angie Hart, an Australian band Album ...
, and
SMTP The Simple Mail Transfer Protocol (SMTP) is an Internet standard communication protocol for electronic mail transmission. Mail servers and other message transfer agents use SMTP to send and receive mail messages. User-level email clients typi ...
protocols. Among the protocols that Xplico identifies and reconstructs there are
VoIP Voice over Internet Protocol (VoIP), also known as IP telephony, is a set of technologies used primarily for voice communication sessions over Internet Protocol (IP) networks, such as the Internet. VoIP enables voice calls to be transmitted as ...
,
MSN MSN is a web portal and related collection of Internet services and apps provided by Microsoft. The main webpage provides news, weather, sports, finance and other content curated from hundreds of different sources that Microsoft has partnere ...
,
IRC IRC (Internet Relay Chat) is a text-based chat system for instant messaging. IRC is designed for group communication in discussion forums, called '' channels'', but also allows one-on-one communication via private messages as well as chat ...
, HTTP, IMAP, POP, SMTP, and
FTP The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and dat ...
.


Features


Software architecture

The Xplico's software architecture provides: * an ''input module'' to handle data input (from probes or packet sniffer) * an ''output module'' to organize the decoded data and presenting them to the end user; and * a set of ''decoding modules'', called ''protocol dissector'' for the decoding of the individual network protocol. With the ''output module'' Xplico can have different user interfaces, in fact it can be used from command line and from a web user interface called "Xplico Interface". The ''protocol dissector'' is the modules for the decoding of the individual protocol, each ''protocol dissector'' can reconstruct and extract the data of the protocol. All modules are plug-in and, through the configuration file, they can be loaded or not during execution of the program. This allows to focus the decoding, that is, if you want to decode only
VoIP Voice over Internet Protocol (VoIP), also known as IP telephony, is a set of technologies used primarily for voice communication sessions over Internet Protocol (IP) networks, such as the Internet. VoIP enables voice calls to be transmitted as ...
calls but not the Web traffic then you configure Xplico to load only the RTP and SIP modules excluding the HTTP module.


Large scale pcap data analysis

Another feature of Xplico is its ability to process (reconstruct) huge amounts of data: it is able to manage pcap files of multiple gigabytes and even terabytes from multiple capture probes simultaneously. This is thanks to the use of various types of "input modules". The pcap files can be uploaded in many ways, directly from the Xplico Web user interface, with a SFTP or with a transmission channel called PCAP-over-IP. For these features Xplico is used in the contexts of Lawful interception and in Network Forensics.


VoIP calls

Xplico and also its specific version calle
pcap2wav
is able to decode VoIP calls based on the RTP protocol ( SIP,
H323 H.323 is a recommendation from the ITU-T, ITU Telecommunication Standardization Sector (ITU-T) that defines the protocols to provide audio-visual communication sessions on any packet network. The H.323 standard addresses call signaling and contr ...
, MGCP, SKINNY) and supports the decodidica of audio codecs G711ulaw, G711alaw,
G722 The Group of Seven (G7) is an intergovernmental political and economic forum consisting of Canada, France, Germany, Italy, Japan, the United Kingdom and the United States; additionally, the European Union (EU) is a "non-enumerated member". I ...
,
G729 G.729 is a royalty-free narrow-band vocoder-based audio data compression algorithm using a frame length of 10 milliseconds. It is officially described as ''Coding of speech at 8 kbit/s using code-excited linear prediction'' speech coding (CS- ...
, G723,
G726 G.726 is an ITU-T ADPCM speech codec standard covering the transmission of voice at rates of 16, 24, 32, and 40 kilobit, kbit/s. It was introduced to supersede both G.721, which covered ADPCM at 32 kbit/s, and G.723, which described ADP ...
, and MSRTA (Microsoft's Real-time audio).


Basic commands working from command line

In these examples, it is assumed that ''eth0'' is the used network interface. * real-time acquisition and decoding: xplico -m rltm -i eth0 * decoding of a single pcap file: xplico -m pcap -f example.pcap * decoding a directory which contains many files pcap xplico -m pcap -d /path/dir/ in all cases the data decoded are stored in the a directory named ''xdecode''. With the parameter ''-m'' we can select the "''input module''" type. The input module named ''rltm'' acquires the data directly from the network interface, vice versa the input module named ''pcap'' acquires data form pcap files or directory.


Distributions

Xplico is installed by default in the major distributions of
digital forensics Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery, investigation, examination, and analysis of material found in digital devices, often in relation to mobile devices and com ...
and
penetration testing A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is performed ...
: *
Kali Linux Kali Linux is a Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security. The software is based on the Debian''Testing'' branch: most packages Kali uses are imported from the De ...
, *
BackTrack BackTrack was a Linux distribution that focused on security, based on the Knoppix Linux distribution aimed at digital forensics and penetration testing use. In March 2013, the Offensive Security team rebuilt BackTrack around the Debian distribut ...
, * DEFT, * Security Onion * Matriux * BackBox * CERT Linux Forensics Tools Repository.


See also

*
Comparison of packet analyzers Comparison or comparing is the act of evaluating two or more things by determining the relevant, comparable characteristics of each thing, and then determining which characteristics of each are similar to the other, which are different, and t ...
*
tcpdump tcpdump is a data-network packet analyzer computer program that runs under a command line interface. It allows the user to display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. Distr ...
, a
packet analyzer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capt ...
*
pcap In the field of computer network administration, pcap is an application programming interface (API) for capturing network traffic. While the name is an abbreviation of ''packet capture'', that is not the API's proper name. Unix-like systems ...
, an
application programming interface An application programming interface (API) is a connection between computers or between computer programs. It is a type of software Interface (computing), interface, offering a service to other pieces of software. A document or standard that des ...
(API) for capturing network traffic * snoop, a
command line A command-line interface (CLI) is a means of interacting with software via command (computing), commands each formatted as a line of text. Command-line interfaces emerged in the mid-1960s, on computer terminals, as an interactive and more user ...
packet analyzer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capt ...
included with
Solaris Solaris is the Latin word for sun. It may refer to: Arts and entertainment Literature, television and film * ''Solaris'' (novel), a 1961 science fiction novel by Stanisław Lem ** ''Solaris'' (1968 film), directed by Boris Nirenburg ** ''Sol ...
*
wireshark Wireshark is a Free and open-source software, free and open-source packet analyzer. It is used for computer network, network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, ...
, a network
packet analyzer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can analyze and log traffic that passes over a computer network or part of a network. Packet capt ...
*
dsniff dSniff is a set of password sniffing and network traffic analysis tools written by security researcher and startup founder Dug Song to parse different application protocols and extract relevant information. dsniff, filesnarf, mailsnarf, msgsnarf ...
, a
packet sniffer A packet analyzer (also packet sniffer or network analyzer) is a computer program or computer hardware such as a packet capture appliance that can Traffic analysis, analyze and Logging (computing), log traffic that passes over a computer netwo ...
and set of traffic analysis tools *
netsniff-ng netsniff-ng is a free Linux network analyzer and networking toolkit originally written by Daniel Borkmann. Its gain of performance is reached by zero-copy mechanisms for network packets (RX_RING, TX_RING), so that the Linux kernel does not need ...
, a free Linux networking toolkit *
ngrep ngrep (Computer network, network grep) is a network packet analyzer written by Jordan Ritter. It has a command-line interface, and relies upon the pcap library and the GNU regex library. ngrep supports Berkeley Packet Filter (Berkeley Packet Fil ...
, a tool that can match regular expressions within the network packet payloads * etherape, a network mapping tool that relies on sniffing traffic * tcptrace, a tool for analyzing the logs produced by tcpdump


References


External links

* {{Official website, http://www.xplico.org/
Xplico Demo Cloud
* PCAP2WAV and RTP2WAV Demo Cloud Free software programmed in C Network analyzers Free network management software Unix network-related software Linux-only free software