I have been playing around with xplico which is a NFAT (Network Forensics Analysis Tool) tool included in Backtrack Linux. Pretty cool application though there are some things I am still figuring out or may be caused by the version be older in Backtrack. One of the main items where I could see new users to Xplico running into is actually noted numerous times on Xplico’s website and so I simply wanted to expand on what has already been noted there. If you are having issues uploading pcap files via the Xplico web interface then it is likely related to the size of the pcap file and the size that the Apache web server will accept. Use the information below to modify the web server configuration to allow larger files to be uploaded.
Dealing With Large PCAP Files In Xplico:
This example uses Backtrack Linux version 5 release 3 as the operating system so depending on what OS you are running Xplico on it may differ from the details below but the concepts will be similar. To resolve the issue of uploading large pcap files via the Xplico Web GUI you need to modify the php.ini file that is processed by Apache. On Backtrack the php.ini that we need to modify is located in /etc/php5/apache2. Open the php.ini file in this directory with your favorite text editor and make the two changes noted below.
Modify php.ini File To Allow Larger Xplico PCAP File Uploads:
- ; Maximum size of POST data that PHP will accept.
- ; http://php.net/post-max-size
- post_max_size = 1024M
- ; Maximum allowed size for uploaded files.
- ; http://php.net/upload-max-filesize
- upload_max_filesize = 1024M
The above configuration variables are located on line 728 (post_max_size) and line 879 (upload_max_filesize) of /etc/php5/apache2/php.ini. Once you have made these changes you need to reload Apache on Backtrack to have Apache start using the new settings.The above settings would allow a 1GB pcap file to be uploaded via the Xplico web GUI.
Reload Apache On Backtrack Linux After php.ini Modifcations:
- root@bt:~# /etc/init.d/apache2 reload
- * Reloading web server config apache2
- ...done.
- root@bt:~#
Two other settings not discussed on the Xplico web site that may need to be made depending on the size of the PCAP file would be the max_execution_time and max_input_time settings that will not allow processing of longer than 30 and 60 seconds. If you run into issues with large pcap files then you can extend this setting as well to something like 5 minutes as shown below.
Reload Apache On Backtrack Linux After php.ini Modifcations:
- ; Maximum execution time of each script, in seconds
- ; http://php.net/max-execution-time
- ; Note: This directive is hardcoded to 0 for the CLI SAPI
- max_execution_time = 300
- ; Maximum amount of time each script may spend parsing request data. It's a good
- ; idea to limit this time on productions servers in order to eliminate unexpectedly
- ; long running scripts.
- ; Note: This directive is hardcoded to -1 for the CLI SAPI
- ; Default Value: -1 (Unlimited)
- ; Development Value: 60 (60 seconds)
- ; Production Value: 60 (60 seconds)
- ; http://php.net/max-input-time
- max_input_time = 360
Both of these settings are also located in /etc/php5/apache2/php.ini and you will need to reload Apache once you have changed them.