Difference between revisions of "Xplico"
From Forensics Wiki
m |
|||
| Line 11: | Line 11: | ||
<h2>Features</h2> | <h2>Features</h2> | ||
<ul> | <ul> | ||
| − | <li>Protocols supported: [http://www.xplico.org/status | + | <li>Protocols supported: [http://www.xplico.org/status HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...];</li> |
<li>Port Independent Protocol Identification (PIPI) for each application protocol;</li> | <li>Port Independent Protocol Identification (PIPI) for each application protocol;</li> | ||
<li>Multithreading;</li> | <li>Multithreading;</li> | ||
Revision as of 14:27, 24 November 2008
| Xplico | |
|---|---|
| Maintainer: | Gianluca Costa & Andrea de Franceschi |
| OS: | Linux |
| Genre: | Analysis |
| License: | GPL |
| Website: | www.xplico.org |
The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is to extract all application data content from a network capture (pcap file or real-time acquisition). For example, Xplico is able to extract all e-mails carried by the POP and SMTP protocols, and all content carried by HTTP protocol from a pcap file.
Features
- Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...;
- Port Independent Protocol Identification (PIPI) for each application protocol;
- Multithreading;
- Output data and information in SQLite database or MySQL database and/or files;
- At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
- Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );
- TCP reassembly with ACK verification for any packet or soft ACK verification;
- Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
- No size limit on data entry or the number of files entrance (the only limit is HD size).
