Xplico: Difference between revisions
Content deleted Content added
NFAT then Network forensics |
mNo edit summary Tags: Visual edit Mobile edit Mobile web edit |
||
| (46 intermediate revisions by 33 users not shown) | |||
| Line 1: | Line 1: | ||
{{Short description|Network forensics analysis tool}} |
|||
{{Infobox software |
{{Infobox software |
||
| |
| title = |
||
| name = Xplico |
|||
| logo = <!-- Image name is enough --> |
|||
| logo caption = |
|||
| screenshot = <!-- Image name is enough --> |
|||
| caption = |
|||
| collapsible = |
|||
| author = |
|||
| developer = Gianluca Costa & Andrea de Franceschi |
| developer = Gianluca Costa & Andrea de Franceschi |
||
| released = <!-- {{Start date and age|YYYY|MM|DD|df=yes/no}} --> |
|||
| ⚫ | |||
| discontinued = |
|||
| latest release date = {{release date|2012|2|27}} |
|||
| ⚫ | |||
| latest release date = {{release date and age|2019|05|02}}<ref>{{cite web | url=https://www.xplico.org/archives/1562 | title=Xplico – Xplico 1.2.2 }}</ref> |
|||
| latest preview version = |
|||
| latest preview date = <!-- {{Start date and age|YYYY|MM|DD|df=yes/no}} --> |
|||
| ⚫ | |||
| operating system = [[Linux]] |
| operating system = [[Linux]] |
||
| platform = |
|||
| ⚫ | |||
| size = |
|||
| language = |
|||
| language count = <!-- DO NOT include this parameter unless you know what it does --> |
|||
| language footnote = |
|||
| genre = [[Network Forensics]] |
| genre = [[Network Forensics]] |
||
| license = [[GNU General Public License]] |
| license = [[GNU General Public License]] |
||
| website = {{URL|http://www.xplico.org/}} |
| website = {{URL|http://www.xplico.org/}} |
||
| logo_size = |
|||
| logo_alt = |
|||
| screenshot_size = |
|||
| screenshot_alt = |
|||
}} |
}} |
||
| ⚫ | |||
| ⚫ | Unlike the [[Packet analyzer|protocol analyzer]], whose main characteristic is not the reconstruction of the data carried out by the protocols, Xplico was born expressly with the aim to reconstruct the protocol's application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI).<ref>{{cite web |url=http://holisticinfosec.org/toolsmith/pdf/june2011.pdf |title=ISSA Journal |access-date=2012-06-01}}</ref> |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | Unlike the [[Packet analyzer|protocol analyzer]], whose main characteristic is not the reconstruction of the data carried by the protocols, Xplico born expressly with the aim to reconstruct the |
||
| ⚫ | |||
| ⚫ | |||
| ⚫ | |||
==Overview== |
==Overview== |
||
Using raw data from [[Ethernet]] or [[Point-to-Point Protocol|PPP]] of a web navigation ([[HTTP]] protocol), Xplico extracts application data and reconstructs the contents within a packet. In the case of HTTP protocol: images, files, or cookies would be extracted. Similarly Xplico is able to reconstruct the e-mail exchanged with the [[IMAP]], [[Post Office Protocol|POP]], and [[SMTP]] protocols. |
|||
Among the protocols that Xplico identifies and reconstructs there are [[VoIP]], [[MSN]], [[IRC]], HTTP, IMAP, POP, SMTP and [[FTP]]. |
Among the protocols that Xplico identifies and reconstructs there are [[VoIP]], [[MSN]], [[IRC]], HTTP, IMAP, POP, SMTP, and [[FTP]]. |
||
==Features== |
==Features== |
||
===Architecture=== |
|||
===Software architecture=== |
|||
The Xplico's software architecture provides: |
|||
*an ''input module'' to handle data input (from probes or packet sniffer) |
|||
*an '' |
* an ''input module'' to handle data input (from probes or packet sniffer) |
||
* an ''output module'' to organize the decoded data and presenting them to the end user; and |
|||
*a set of ''decoding modules'', called ''protocol dissector'' for the decoding of the individual network protocol |
* a set of ''decoding modules'', called ''protocol dissector'' for the decoding of the individual network protocol. |
||
With the ''output module'' Xplico can have different user interfaces, in fact it can be used from command line and from a web user interface called "Xplico Interface". The ''protocol dissector'' is the modules for the decoding of the individual protocol, each ''protocol dissector'' can reconstruct and extract the data of the protocol. |
With the ''output module'' Xplico can have different user interfaces, in fact it can be used from command line and from a web user interface called "Xplico Interface". The ''protocol dissector'' is the modules for the decoding of the individual protocol, each ''protocol dissector'' can reconstruct and extract the data of the protocol. |
||
All modules are plug-in and, through the configuration file, they can be loaded or not during execution of the program. This allows to focus the decoding, that is, if you want to decode only [[VoIP]] calls but not the Web traffic then you configure Xplico to load only the [[RTP]] and [[SIP]] modules excluding the HTTP module.<ref>{{Cite book |
All modules are plug-in and, through the configuration file, they can be loaded or not during execution of the program. This allows to focus the decoding, that is, if you want to decode only [[VoIP]] calls but not the Web traffic then you configure Xplico to load only the [[Real-time Transport Protocol|RTP]] and [[Session Initiation Protocol|SIP]] modules excluding the HTTP module.<ref>{{Cite book |
||
| publisher = Apogeo |
| publisher = Apogeo |
||
| isbn = 978-88-503-2816-1 |
| isbn = 978-88-503-2816-1 |
||
| pages = 5, 227,278, 369–370 |
| pages = 5, 227, 278, 369–370 |
||
| last = Gabriele Faggioli |
| last = Gabriele Faggioli |
||
| first = Andrea Ghirardini |
| first = Andrea Ghirardini |
||
| Line 44: | Line 66: | ||
===Large scale pcap data analysis=== |
===Large scale pcap data analysis=== |
||
Another feature of Xplico is its ability to process (reconstruct) huge amounts of data |
Another feature of Xplico is its ability to process (reconstruct) huge amounts of data: it is able to manage pcap files of multiple gigabytes and even terabytes from multiple capture probes simultaneously. This is thanks to the use of various types of "input modules". The pcap files can be uploaded in many ways, directly from the Xplico Web user interface, with a [[SSH File Transfer Protocol|SFTP]] or with a transmission channel called [[PCAP-over-IP]]. |
||
For |
For these features Xplico is used in the contexts of [[Lawful interception]]<ref>{{cite web |url=http://www.it.uc3m.es/~muruenya/papers/MCSS10XplicoAlerts.pdf |title=On detecting Internet-based criminal threats (European FP7-SEC Project INDECT) |access-date=2017-05-09}}</ref><ref>{{cite web |url=http://e-archivo.uc3m.es/handle/10016/10370 |title=Sistema de interceptación y análisis de comunicaciones) ||date=January 2009 |last1=Gacimartín García |first1=Carlos }}</ref> and in [[Network Forensics]].<ref>{{Cite book |
||
| isbn = 978-1597494724 |
| isbn = 978-1597494724 |
||
| last = Cameron H. Malin |
| last = Cameron H. Malin |
||
| Line 53: | Line 75: | ||
| year = 2012 |
| year = 2012 |
||
}}</ref> |
}}</ref> |
||
===VoIP calls=== |
|||
Xplico and also its specific version called [http://pcap2wav.xplico.org/ pcap2wav] is able to decode VoIP calls based on the [[Real-time Transport Protocol|RTP]] protocol ([[Session Initiation Protocol|SIP]], [[H323]], [[Media Gateway Control Protocol|MGCP]], [[Skinny Client Control Protocol|SKINNY]]) and supports the decodidica of audio codecs [[G711]]ulaw, [[G711]]alaw, [[G722]], [[G729]], [[G723]], [[G726]], and MSRTA (Microsoft's Real-time audio).<ref>pcap2wav Xplico interface http://www.xplico.org/archives/1287</ref> |
|||
==Basic commands working from command line== |
==Basic commands working from command line== |
||
In these examples, it is assumed that ''eth0'' is the used network interface. |
In these examples, it is assumed that ''eth0'' is the used network interface. |
||
* real-time acquisition and decoding: |
* real-time acquisition and decoding: |
||
xplico -m rltm -i eth0 |
|||
* decoding of a single pcap file: |
* decoding of a single pcap file: |
||
xplico -m pcap -f example.pcap |
|||
* decoding a directory which contains many files pcap |
* decoding a directory which contains many files pcap |
||
xplico -m pcap -d /path/dir/ |
|||
in all cases the data decoded are stored in the a directory named ''xdecode''. With the parameter ''-m'' we can select the "''input module''" type. The input module named ''rltm'' acquires the data directly from the network interface, vice versa the input module named ''pcap'' acquires data form pcap files or directory. |
in all cases the data decoded are stored in the a directory named ''xdecode''. With the parameter ''-m'' we can select the "''input module''" type. The input module named ''rltm'' acquires the data directly from the network interface, vice versa the input module named ''pcap'' acquires data form pcap files or directory. |
||
==Distributions== |
==Distributions== |
||
Xplico is installed by default in the major distributions of [[digital forensics]] and [[penetration testing]]: |
Xplico is installed by default in the major distributions of [[digital forensics]] and [[penetration testing]]: |
||
* [[Kali Linux]],<ref>[http://bugs.kali.org/view.php?id=61 Kali, Xplico as a package].</ref> |
|||
| ⚫ | |||
* [[BackTrack]],<ref>{{cite web |url=http://redmine.backtrack-linux.org:8080/issues/529 |title=Backtrack 5}}</ref> |
|||
* DEFT,<ref>{{cite web|url=http://www.deftlinux.net/projects/ |title=Projects DEFT Linux |url-status=dead |archive-url=https://web.archive.org/web/20120618120019/http://www.deftlinux.net/projects/ |archive-date=June 18, 2012 }}</ref> |
|||
* Security Onion |
|||
* Matriux |
|||
* [[BackBox]] |
|||
| ⚫ | |||
==See also== |
==See also== |
||
*[[Comparison of packet analyzers]] |
* [[Comparison of packet analyzers]] |
||
* [[tcpdump]], a [[packet analyzer]] |
|||
* [[pcap]], an [[application programming interface]] (API) for [[packet sniffer|capturing network traffic]] |
|||
* [[snoop (software)|snoop]], a [[command line]] [[packet analyzer]] included with [[Solaris (operating system)|Solaris]] |
|||
* [[wireshark]], a network [[packet analyzer]] |
|||
* [[dsniff]], a [[packet sniffer]] and set of traffic analysis tools |
|||
* [[netsniff-ng]], a free Linux networking toolkit |
|||
* [[ngrep]], a tool that can match regular expressions within the network packet payloads |
|||
* [[etherape]], a network mapping tool that relies on sniffing traffic |
|||
* [[tcptrace]], a tool for analyzing the logs produced by tcpdump |
|||
== |
==References== |
||
{{Reflist}} |
{{Reflist|30em}} |
||
==External links== |
==External links== |
||
*{{ |
* {{Official website|http://www.xplico.org/}} |
||
* [http://demo.xplico.org/ Xplico Demo Cloud] |
|||
* PCAP2WAV and RTP2WAV Demo Cloud |
|||
[[Category:Free software programmed in C]] |
[[Category:Free software programmed in C]] |
||
| Line 81: | Line 123: | ||
[[Category:Free network management software]] |
[[Category:Free network management software]] |
||
[[Category:Unix network-related software]] |
[[Category:Unix network-related software]] |
||
[[Category:Linux-only free software]] |
|||
[[it:Xplico]] |
|||
Latest revision as of 18:25, 7 February 2024
| Developer(s) | Gianluca Costa & Andrea de Franceschi |
|---|---|
| Stable release | 1.2.2
/ May 2, 2019[1] |
| Written in | C, PHP, Python |
| Operating system | Linux |
| Type | Network Forensics |
| License | GNU General Public License |
| Website | www |
Xplico is a network forensics analysis tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (e.g. Wireshark, tcpdump, Netsniff-ng).
Unlike the protocol analyzer, whose main characteristic is not the reconstruction of the data carried out by the protocols, Xplico was born expressly with the aim to reconstruct the protocol's application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI).[2]
The name "xplico" refers to the Latin verb explico and its significance.
Xplico is free and open-source software, subject to the requirements of the GNU General Public License (GPL), version 2.[3]
Overview
[edit]Using raw data from Ethernet or PPP of a web navigation (HTTP protocol), Xplico extracts application data and reconstructs the contents within a packet. In the case of HTTP protocol: images, files, or cookies would be extracted. Similarly Xplico is able to reconstruct the e-mail exchanged with the IMAP, POP, and SMTP protocols.
Among the protocols that Xplico identifies and reconstructs there are VoIP, MSN, IRC, HTTP, IMAP, POP, SMTP, and FTP.
Features
[edit]Software architecture
[edit]The Xplico's software architecture provides:
- an input module to handle data input (from probes or packet sniffer)
- an output module to organize the decoded data and presenting them to the end user; and
- a set of decoding modules, called protocol dissector for the decoding of the individual network protocol.
With the output module Xplico can have different user interfaces, in fact it can be used from command line and from a web user interface called "Xplico Interface". The protocol dissector is the modules for the decoding of the individual protocol, each protocol dissector can reconstruct and extract the data of the protocol.
All modules are plug-in and, through the configuration file, they can be loaded or not during execution of the program. This allows to focus the decoding, that is, if you want to decode only VoIP calls but not the Web traffic then you configure Xplico to load only the RTP and SIP modules excluding the HTTP module.[4]
Large scale pcap data analysis
[edit]Another feature of Xplico is its ability to process (reconstruct) huge amounts of data: it is able to manage pcap files of multiple gigabytes and even terabytes from multiple capture probes simultaneously. This is thanks to the use of various types of "input modules". The pcap files can be uploaded in many ways, directly from the Xplico Web user interface, with a SFTP or with a transmission channel called PCAP-over-IP.
For these features Xplico is used in the contexts of Lawful interception[5][6] and in Network Forensics.[7]
VoIP calls
[edit]Xplico and also its specific version called pcap2wav is able to decode VoIP calls based on the RTP protocol (SIP, H323, MGCP, SKINNY) and supports the decodidica of audio codecs G711ulaw, G711alaw, G722, G729, G723, G726, and MSRTA (Microsoft's Real-time audio).[8]
Basic commands working from command line
[edit]In these examples, it is assumed that eth0 is the used network interface.
- real-time acquisition and decoding:
xplico -m rltm -i eth0
- decoding of a single pcap file:
xplico -m pcap -f example.pcap
- decoding a directory which contains many files pcap
xplico -m pcap -d /path/dir/
in all cases the data decoded are stored in the a directory named xdecode. With the parameter -m we can select the "input module" type. The input module named rltm acquires the data directly from the network interface, vice versa the input module named pcap acquires data form pcap files or directory.
Distributions
[edit]Xplico is installed by default in the major distributions of digital forensics and penetration testing:
- Kali Linux,[9]
- BackTrack,[10]
- DEFT,[11]
- Security Onion
- Matriux
- BackBox
- CERT Linux Forensics Tools Repository.[12]
See also
[edit]- Comparison of packet analyzers
- tcpdump, a packet analyzer
- pcap, an application programming interface (API) for capturing network traffic
- snoop, a command line packet analyzer included with Solaris
- wireshark, a network packet analyzer
- dsniff, a packet sniffer and set of traffic analysis tools
- netsniff-ng, a free Linux networking toolkit
- ngrep, a tool that can match regular expressions within the network packet payloads
- etherape, a network mapping tool that relies on sniffing traffic
- tcptrace, a tool for analyzing the logs produced by tcpdump
References
[edit]- ^ "Xplico – Xplico 1.2.2".
- ^ "ISSA Journal" (PDF). Retrieved 2012-06-01.
- ^ "Xplico License".
- ^ Gabriele Faggioli, Andrea Ghirardini (2009). Computer Forensics. Italy: Apogeo. pp. 5, 227, 278, 369–370. ISBN 978-88-503-2816-1.
- ^ "On detecting Internet-based criminal threats (European FP7-SEC Project INDECT)" (PDF). Retrieved 2017-05-09.
- ^ Gacimartín García, Carlos (January 2009). "Sistema de interceptación y análisis de comunicaciones) |".
- ^ Cameron H. Malin, Eoghan Casey BS MA (2012). Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides. ISBN 978-1597494724.
- ^ pcap2wav Xplico interface http://www.xplico.org/archives/1287
- ^ Kali, Xplico as a package.
- ^ "Backtrack 5".
- ^ "Projects DEFT Linux". Archived from the original on June 18, 2012.
- ^ "Linux Forensics Tools Repository".
External links
[edit]- Official website
- Xplico Demo Cloud
- PCAP2WAV and RTP2WAV Demo Cloud