Difference between revisions of "Xplico"
From Forensics Wiki
| (2 intermediate revisions by 2 users not shown) | |||
| Line 8: | Line 8: | ||
}} | }} | ||
| − | The '''Xplico''' is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is extract from a network capture (pcap file or real-time acquisition) | + | The '''Xplico''' is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract all application data content from a network capture (pcap file or real-time acquisition). For example, Xplico is able to extract all e-mails carried by the POP and SMTP protocols, and all content carried by HTTP protocol from a pcap file. |
<h2>Features</h2> | <h2>Features</h2> | ||
<ul> | <ul> | ||
| − | <li>Protocols supported: [http://www.xplico.org/status | + | <li>Protocols supported: [http://www.xplico.org/status HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...];</li> |
| + | <li> VoIP audio codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA (x-msrta:Real Time Audio) | ||
<li>Port Independent Protocol Identification (PIPI) for each application protocol;</li> | <li>Port Independent Protocol Identification (PIPI) for each application protocol;</li> | ||
<li>Multithreading;</li> | <li>Multithreading;</li> | ||
| − | <li>Output data and information in SQLite database or | + | <li>Output data and information in SQLite database or MySQL database and/or files;</li> |
| − | <li>At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;</li> | + | <li>At each data reassembled by Xplico is associated a [[XML]] file that uniquely identifies the flows and the pcap containing the data reassembled;</li> |
<li>Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );</li> | <li>Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );</li> | ||
<li>TCP reassembly with ACK verification for any packet or soft ACK verification;</li> | <li>TCP reassembly with ACK verification for any packet or soft ACK verification;</li> | ||
<li>Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;</li> | <li>Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;</li> | ||
| − | <li>No size limit on data entry or the number of files entrance (the only limit is HD size) | + | <li>No size limit on data entry or the number of files entrance (the only limit is HD size).</li> |
</ul> | </ul> | ||
| + | |||
| + | <h2>Demo and Cloud computing</h2> | ||
| + | <ul> | ||
| + | <li>Demo with full features: [http://demo.xplico.org Demo]</li> | ||
| + | <li>VoIP decoding, from pcap to wav file: [http://pcap2wav.xplico.org pcap2wav]</li> | ||
| + | </ul> | ||
Latest revision as of 02:42, 11 June 2012
| Xplico | |
|---|---|
| Maintainer: | Gianluca Costa & Andrea de Franceschi |
| OS: | Linux |
| Genre: | Analysis |
| License: | GPL |
| Website: | www.xplico.org |
The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract all application data content from a network capture (pcap file or real-time acquisition). For example, Xplico is able to extract all e-mails carried by the POP and SMTP protocols, and all content carried by HTTP protocol from a pcap file.
Features
- Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...;
- VoIP audio codecs supported: G711ulaw, G711alaw, G722, G729, G723, G726 and MSRTA (x-msrta:Real Time Audio)
- Port Independent Protocol Identification (PIPI) for each application protocol;
- Multithreading;
- Output data and information in SQLite database or MySQL database and/or files;
- At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
- Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );
- TCP reassembly with ACK verification for any packet or soft ACK verification;
- Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
- No size limit on data entry or the number of files entrance (the only limit is HD size).
