Open Source Network Forensic Analysis Tool (NFAT) 

Twitter E-mail RSS

Xplico version 0.5.6: VoIP (SIP & RTP)

In this version there are new and important features:

  • HTTP reconstruction file. ie: files downloaded with tools like DownThemAll
  • undecodec UDP and TCP “stream” with textual content
  • RTP dissector
  • SIP dissector
  • SDP dissector
  • Improved XI
  • many bugfix

This version of the SIP and RTP dissectors is not optimal. The (media) contents currently decoded have the following characteristics (limitations) :

  • only audio
  • audio codec: G711ulaw, G711alaw, G722, G729, G723 and G726
  • only static RTP payload type

We have to thank:

You can download VirtualBox.org image, source code and Ubuntu 9.10 package here.

Enjoy ;).

Xplico version 0.5.5: WebMail

In this version:

  • migrating to SQLite3
  • telnet dissector
  • webmail dissector
  • webmail manipulator: Yahoo!, AOL, Hotmail (all without attachments)
  • Improved LLC dissector
  • Improved XI
  • script to check new release (only in source code)

Hotmail (Live) depends on the language. Currently the languages supported are Italian and English.
Any feedback are welcome: forum.

You can download VirtualBox image, source code and Ubuntu 9.10 package here.

Xplico version 0.5.4: Facebook Chat

This version of Xplico introduce new and important features:

  • Facebook web chat dissector
  • New XI based on CakePHP 1.2.5
  • New representation of images
  • For each image you can see (with the proxy enabled) the page where the image is contained
  • WLAN and LLC basic dissectors
  • HTTP dissector Improvements

You can download source code, Ubuntu 9.10 package and VirtualBox.org image here.

Xplico version 0.5.3 and DEFT Vx5

You can find this release in DEFT Vx5 Linux distribution.
You can download source code, Ubuntu 9.10 package and VirtualBox.org image here.

This version of Xplico introduce many new features:

xi_dns_2

  • snoop Packet Capture File Format as input file
  • DNS dissector with graphical representation in Xplico Interface (XI)
  • NNTP dissector
  • PPPOE dissector
  • direct live acquisition from XI
  • new dispatcher named CLI: this dispatcher organize the data extracted in a tree as this:

    xdecode/<ip_src_1>/http
    xdecode/<ip_src_1>/mail/
    xdecode/<ip_src_1>/nntp
    xdecode/<ip_src_1>/ftp
    xdecode/<ip_src_1>/...
    xdecode/<ip_src_2>/http
    xdecode/<ip_src_2>/mail/
    xdecode/<ip_src_2>/nntp
    xdecode/<ip_src_2>/ftp
    xdecode/<ip_src_2>/...
  • default  CLI dispatcher in command line execution
  • file extension for the HTTP contents

We have to thank:

Enjoy ;).

VirtualBox Image of Debian 5.0 with Xplico

At SourceForge there is a VirtualBox.org image of Debian 5.0 with Xplico 0.5.2 installed and running. It is a smart way for testing this software without altering your environment. It is just download and begin to test Xplico. You can use Xplico to decode traffic in console or via web, uploading your own traffic pcap files. Click here to download it.

Thanks to Carlos Gacimartín.

Xplico v0.5.2 Ubuntu package

It is available for download the binary package of Xplico 0.5.2 for Ubuntu 9.04.
After installation, you must follow these steps:

  • edit /etc/php5/apache2/php.ini to increase the size of files to upload:
    • post_max_size = 100M
    • upload_max_filesize = 100M
  • restart Apache2
  • start Xplico decoding manager: sudo /opt/xplico/script/sqlite_demo.sh
  • open url: http://localhost:9876 (Xplico Interface login)

For optimal viewing of web pages reconstructed by Xplico (using only the data in pcap files, and NOT go to the Internet) set the proxy in Firefox at localhost with port 9876.

Thanks to * for his help.

And now… enjoy.

Xplico version 0.5.2

This version of Xplico and especially of Xplico Interface (web user interface) introduce many new features.
Xplico :

  • dissectors: Ethernet, pcap, ipv4, ipv6, ppp, sll, tcp (2 type), udp, dns, ftp, http,  icmp, imap, ipp, mms, pjl (Printer Job Language), pop, sdp, smtp, tftp, l2tp (instable), vlan (instable)
  • reverse dns using only the DNS traffic in the PCAP file
  • geographical and temporal map of the connections decoded (The local IP are mapped in Venezia)
  • improvements of the regeneration of web pages.

Xplico Interface:

  • new look (screenshot)
  • summary of the data decoded
  • source host selectablly
  • visualization (with Wireshark) of all packets and flows that compose the content extracted/reconstructed
  • usable from any PC on the network (see install)
  • improvements email visualization, (downloadable attachments)
  • feed list. Feed reader (RSS and Atom)
  • MMS contents visualization
  • improvement of research content
  • improvements of the regeneration of web pages

MMS and GeoMap version

This release introduce the MMS dissector. With this dissector it is possible to reconstruct the MMS message transported by HTTP protocol and extracts the media contained. With the new release of  Web interface it is possible to view photos, texts and videos contained in MMS messages.

In this release of Xplico we have introduced the generations of geographical and temporal map of data rebuilding by Xplico. This feature named GeoMap can be used both with console mode and Web interface. The files generated by GeoMap are kml files an can be used with Google Earth. To allow the visualization of the connections whose source is a private IP address, we have decided that the private IP address are located  in Venice (this is a temporary solution).

We have to thank:

An example of MMS over HTTP you can find here.This pcap was generated with Cap’r Makr’ and with the mms of Flavio Poletti.

Any bug reports or suggestions are welcome.

IMAP version

This release introduce the IMAP dissector. With this dissector it is possible reconstruct the e.mails transported by IMAP protocol. The web interface it is the same of last version.

Any bug reports or suggestions are welcome.

You can find source code here.

Source code

Released sources code of Xplico DEFT4 (see download).

« Older Entries
Newer Entries »