Xplico-Open Source Network Forensic Analysis Tool (NFAT).

January 24, 2018

General Information

Xplico is a Network Forensic Analisys Tool NFAT, for Unix and Unix-like operating systems. It uses libpcap, a packet capture and filtering library.
The official home of Xplico is: http://www.xplico.org

Installation

Xplico is known to compile and run on the following systems:
  • Linux (2.4 and later kernels, various distributions)
  • CPU taget: x86 multicore (Xplico use all cpu)
    • ARM
    • XScale
Full installation instructions can be found in the INSTALL file.

Usage

We describe here only console-mode modality, if you use Web interface then you have to see INSTALL and with root permision run /opt/xplico/script/sqlite_demo.sh.
Xplico in console-mode permit you to decode a single pcap file, directory of pcap files or decode in realtime from an ethernet interface (eth0, eth1, ...). To select the input type you have to use -m option. The '-m' option permit you to load a particular xplico capture interface (capture-module). The possible capture interfaces are 'pcap' and 'rltm'. If you run "./xplico -h -m pcap" you have an help of use of pcap interface, obviously "./xplico -h -m rltm' give you an help to use realtime interface. In console-mode all file extracted by xplico are placed in 'tmp/xplico/' direcory, every protocol has a particular directory, and inside this direcory you can find the decoding data. For example:
  • if you have to decode test.pcap, you have to launch this command: ./xplico -m pcap -f test.pcap at the end of decoding your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, ... and kml file (Google Earth) is in xdecode/ip/
  • if you have to decode a direcotry "/tmp/test" where inside there are many pcap files you have to launch this command: ./xplico -m pcap -d /tmp/test at the end of decoding your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, ... and kml file (Google Earth) is in xdecode/ip/
  • if you have to decode eth0 in realtime the command is: ./xplico -m rltm -i eth0 to break acquisition: ^C. At the end of decoding (decoding is in realtime) your files are in xdecode/ip/http, xdecode/ip/pop, xdecode/ip/smtp, ... and kml file (Google Earth) is in xdecode/
Xplico has many decoding modules, these modules are in 'modules' directory, to enable or disable a module you have to modify the xplico.cfg file (by default in ./config/ directory) The GeoMap file (kml) for Google Earth is updated every 30 sec.
./xplico -g give you a graph of relations between the dissectors.

                                              Source and download

Post a Comment

No comments

Subscribe to: Post Comments ( Atom )