ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Xplico"

From ForensicsWiki
Jump to: navigation, search
Line 11: Line 11:
 
<h2>Features</h2>
 
<h2>Features</h2>
 
             <ul>
 
             <ul>
 +
              <li>Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...];</li>
 
               <li>Port Independent Protocol Identification (PIPI) for each application protocol;</li>
 
               <li>Port Independent Protocol Identification (PIPI) for each application protocol;</li>
 
               <li>Multithreading;</li>
 
               <li>Multithreading;</li>
Line 19: Line 20:
 
               <li>Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;</li>
 
               <li>Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;</li>
 
               <li>No size limit on data entry or the number of files entrance (the only limit is HD size);</li>
 
               <li>No size limit on data entry or the number of files entrance (the only limit is HD size);</li>
              <li>Protocols supported: [http://www.xplico.org/status.html HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...];</li>
 
 
             </ul>
 
             </ul>

Revision as of 10:04, 24 May 2008

Xplico
Maintainer: Gianluca Costa & Andrea de Franceschi
OS: Linux
Genre: Analysis
License: GPL
Website: www.xplico.org

The Xplico is a Network Forensic Analysis Tool (NFAT). The main scope of Xplico is extract from a network capture (pcap file or real-time acquisition) all application data content. For example, Xplico from a pcap file is able to extract all emails carried by the POP and SMTP protocols and all content carried by HTTP protocols.

Features

  • Protocols supported: HTTP, SIP, FTP, IMAP, POP, SMTP, TCP, UDP, IPv4, IPv6, ...;
  • Port Independent Protocol Identification (PIPI) for each application protocol;
  • Multithreading;
  • Output data and information in SQLite database or Mysql database and/or files;
  • At each data reassembled by Xplico is associated a XML file that uniquely identifies the flows and the pcap containing the data reassembled;
  • Realtime elaboration (depends on the number of flows, the types of protocols and by the performance of computer ---RAM, CPU, HD access time, ...--- );
  • TCP reassembly with ACK verification for any packet or soft ACK verification;
  • Reverse DNS lookup from DNS packages contained in the inputs files (pcap), not from external DNS server;
  • No size limit on data entry or the number of files entrance (the only limit is HD size);