Xplico is a NFAT or Network Forensics Analysis Tool that is designed to either capture traffic in real time sessions or to provide an interface to upload PCAP (Packet Capture Data) files for analysis. The current version in Backtrack Linux 5 release 3 is 0.7 however the latest Xplico version is Xplico 1.0.1. I believe there are some dependencies required in the later versions of Xplico so I will write an updated article once Backtrack 6 comes up and the latest version of Xplico can easily be installed.
Xplico Notes:
- Listening On Every Interface: If you start Xplico from the Backtrack menu without modifying any of the configuration files then Xplico will listen on every interface thus making port 9876 available to anything on the local network or on the Internet if your Backtrack server has a public IP. Make sure you are aware of this and update firewall rules accordingly as well as modify the default password of xplico.
- Some Traffic Not Parsing Properly In 0.7: I only spent a small amount of time messing with Xplico but numerous protocols were not being parsed out properly in the interface so make sure you test each protocol type that you want details on before assuming the traffic does not exist in the PCAP files you are uploading. It is likely many of these issues are resolved in later versions of the software but again this article is based on what is available in the current version of Backtrack Linux which is BT5r3.
- Large PCAP File Uploads: Xplico does a good job of noting this on their website and within the software but it can’t be mentioned enough that you will need to modify the php.ini file on your Backtrack server as noted in this article if you want to be able to upload large PCAP files.
- Xplico Database Backend: If you want to analyze lots of network traffic and have the ability to search through this traffic quickly you should move the Xplico database backend from SQLite to MySQL before you begin. This is well documented and appears easy to accomplish.
Xplico 0.7 On Backtrack 5 Release 3:
Xplico is a great tool for analyzing network packet captures and as it matures I am sure it will only get better. I would be hesitant to say that this version is ready for production networks however if you test properly and understand its current capabilities there could definitely be value in production. The basis of Xplico is analyzing PCAP files by providing a quick breakdown of protocol traffic and even going as far as providing a quick method to search through the details of packets. The way Xplico organizes traffic is by case and by session with sessions being associated to cases. Think of a session as a single network packet capture that starts at X and ends at Y. You might have a single PCAP that spans say 24 hours and thus every session under a single case might be equal to a single day though it would seem likely to use Xplico when becoming familiar with a network during a pentest and you might create a packet capture for an hour and use Xplico to analyze that traffic and provide a summary of the type of traffic on a clients network.
Quick Xplico Walk Through On Backtrack Linux:
Below I describe starting Xplico from the Backtrack 5 menu, uploading a PCAP file, and viewing packet details via the Xplico interface. The first image below shows the terminal pop up once you select “xplico web gui” from the Backtrack menu located under Information Gathering > Network Analysis > Network Traffic Analysis.
Start Xplico From Backtrack Menu:
Again I wanted to note that when starting Xplico from the Backtrack menu the application will be listening on port 9876 on every interface so make sure to secure accordingly. The Xplico startup script will make sure the necessary Apache modules are installed and then restart the web server. Now open a local browser and visit http://localhost:9876 or from another computer visit http://<BT5 IP HERE:9876/. You can login to the web interface using the default user/pass of xplico/xplico.
Create Xplico Case & Session:
Click New Case from the left navigation menu once logged into Xplico and select either PCAP Upload or Live Capture. The Live Capture option provides the ability to select an Ethernet Interface on the Backtrack server to capture packets on once you have created a session. It is more likely that Xplico will be used to upload PCAP’s for analysis but wanted to note in case someone is going to create a monitor port on a switch in their network and have all network traffic dumped to Xplico running on Backtrack Linux in real time. Once you have created the Xplico Case you next need to add a Xplico Session to the Case so click on the Case you have just created and then click New Session in the left navigation menu to create a Session associated to the Case.
When adding a session use a descriptive name that relates to the packets located in the PCAP file(s) you will be uploading. Once a Session has been added to the Xplico interface you can begin uploading PCAP files for analysis. In this example we will upload a PCAP file example provided on the Xplico website.
Upload PCAP File To Xplico:
Notice that all of the packet details within the session are 0 but once the PCAP file has been processed a summary of protocol details will display within the session which will be displayed in a screenshot to follow. Depending on the size of the PCAP file that was uploaded it can take awhile to process so be patient. Also it should be noted that after the PCAP file is uploaded the session will show the START_DECODING state and then once the Xplico PCAP processing task picks up the PCAP file it will move into the DECODING state. Once the PCAP file has been processed it will display the DECODING_COMPLETE state at which time you will be able to view the PCAP file statistics/details as shown in the below screenshot.
Xplico PCAP File Protocol Summary View:
Notice the statistics that now exist in the session buckets including HTTP, FTP – TFTP – HTTP file, Webmail, Facebook Chat / Paltalk, Dns – Arp – Icmpv6, NNTP, SIP, and Undecoded. Now if you were looking for more details for a specific protocol/application you can now click that item in the left navigation menu to drill down further as shown in the below example image of SIP protocol details.
Xplico SIP VoIP Call Details View:
Notice that from this page, which is located underneath VoIP in the elft navigation menu, you can see actual call details including date, the from device, the to device, and call duration. You can also click on the info.xml link to bring up the packet details in XML format as shown in the below example image.
Xplico SIP Call Detail Via info.xml Pop-Up:
Notice in the SIP call packet details pop-up you can see source and destination IP, PCAP file location, and UDP port information as well. Within the Xplico web GUI you can typically click down to packet level details for every protocol and I would assume more and more details will be provided for each protocol as Xplico matures.
Those are the basics regarding the Xplico web GUI but you can also use Xplico from the command line if you wanted to see a quick analysis of protocols from a packet capture. First you should understand the Xplico Protocol Tree so you will understand what details will be spit out regarding the network packet capture or PCAP you file you are analyzing. You can print out the Xplico Protocol Tree by issuing the “xplico -g” command as shown in the below example. Click the title below to expand the Xplico Protocol Tree.
[expand title=”Xplico Protocol Tree Details”]
root@bt:/opt/xplico/bin# ./xplico -g
xplico v0.7.0
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.
Copyright 2007-2011 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Configuration file (/opt/xplico/cfg/xplico_cli.cfg) found!
GeoLiteCity.dat found!
——————————————
————- Protocol Graph ————-
——————————————
pcapf
|
|—>eth
| |
| |—>pppoe
| | |
| | `—>ppp
| | |
| | |—>ip
| | | |
| | | |—>ipv6
| | | | |
| | | | |—>tcp
| | | | | |
| | | | | |—>http
| | | | | | |
| | | | | | |—>httpfd
| | | | | | |—>ipp
| | | | | | |—>mms
| | | | | | |—>fbwchat
| | | | | | |—>webmail
| | | | | | `—>paltalk_exp
| | | | | |—>pop
| | | | | |—>imap
| | | | | |—>smtp
| | | | | |—>sip
| | | | | |—>ftp
| | | | | |—>nntp
| | | | | |—>irc
| | | | | |—>pjl
| | | | | |—>telnet
| | | | | |—>msn
| | | | | |—>paltalk
| | | | | `—>tcp-grb
| | | | |—>udp
| | | | | |
| | | | | |—>sip
| | | | | |—>rtp
| | | | | |—>l2tp
| | | | | | |
| | | | | | `—>ppp
| | | | | |—>dns
| | | | | |—>tftp
| | | | | `—>udp-grb
| | | | `—>icmpv6
| | | |—>tcp
| | | |—>udp
| | | `—>icmp
| | |—>ipv6
| | `—>llc
| | |
| | |—>eth
| | |—>ip
| | `—>ipv6
| |—>ip
| |—>ipv6
| |—>vlan
| | |
| | |—>ip
| | |—>ipv6
| | `—>arp
| `—>arp
|—>ppp
|—>ip
|—>ipv6
|—>sll
| |
| |—>ip
| `—>ipv6
|—>wlan
|—>llc
`—>radiotap
——————————————
pol
|
|—>eth
|—>ppp
|—>ip
|—>ipv6
|—>sll
|—>wlan
|—>llc
`—>radiotap
——————————————
rtcp
——————————————
sdp
——————————————
usage: xplico [-v] [-c <config_file>] [-h] [-g] [-l] [-i ] -m <capute_module>
-v version
-c config file
-h this help
-i info of protocol ‘prot’
-g display graph-tree of protocols
-l print all log in the screen
-m capture type module
NOTE: parameters MUST respect this order!
root@bt:/opt/xplico/bin#
[/expand]
The purpose of understanding the Xplico Protocol Tree is only so you know what protocol details will be provided and what protocol details will not be provided. Below is an example of processing a PCAP file containing packets related to a SIP VoIP call.
[expand title=”Processing PCAP File From Backtrack CLI With Xplico”]
root@bt:/opt/xplico/bin# ./xplico -m pcap -f /root/example2.pcap
xplico v0.7.0
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.
Copyright 2007-2011 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Configuration file (/opt/xplico/cfg/xplico_cli.cfg) found!
GeoLiteCity.dat found!
pcapf: running: 0/0, subflow:0/0, tot pkt:1
pol: running: 0/0, subflow:0/0, tot pkt:0
eth: running: 0/0, subflow:0/0, tot pkt:1
pppoe: running: 0/0, subflow:0/0, tot pkt:0
ppp: running: 0/0, subflow:0/0, tot pkt:0
ip: running: 0/0, subflow:0/0, tot pkt:1
ipv6: running: 0/0, subflow:0/0, tot pkt:0
tcp: running: 0/0, subflow:0/0, tot pkt:0
udp: running: 0/0, subflow:1/50, tot pkt:1
http: running: 0/0, subflow:0/0, tot pkt:0
pop: running: 0/0, subflow:0/0, tot pkt:0
imap: running: 0/0, subflow:0/0, tot pkt:0
smtp: running: 0/0, subflow:0/0, tot pkt:0
httpfd: running: 0/0, subflow:0/0, tot pkt:0
sip: running: 1/1, subflow:0/0, tot pkt:0
rtp: running: 0/0, subflow:0/0, tot pkt:0
rtcp: running: 0/0, subflow:0/0, tot pkt:0
sdp: running: 0/0, subflow:0/0, tot pkt:1
l2tp: running: 0/0, subflow:0/0, tot pkt:0
vlan: running: 0/0, subflow:0/0, tot pkt:0
ftp: running: 0/0, subflow:0/0, tot pkt:0
dns: running: 0/0, subflow:0/0, tot pkt:0
icmp: running: 0/0, subflow:0/0, tot pkt:0
nntp: running: 0/0, subflow:0/0, tot pkt:0
irc: running: 0/0, subflow:0/0, tot pkt:0
ipp: running: 0/0, subflow:0/0, tot pkt:0
pjl: running: 0/0, subflow:0/0, tot pkt:0
mms: running: 0/0, subflow:0/0, tot pkt:0
sll: running: 0/0, subflow:0/0, tot pkt:0
tftp: running: 0/0, subflow:0/0, tot pkt:0
wlan: running: 0/0, subflow:0/0, tot pkt:0
llc: running: 0/0, subflow:0/0, tot pkt:0
fbwchat: running: 0/0, subflow:0/0, tot pkt:0
telnet: running: 0/0, subflow:0/0, tot pkt:0
webmail: running: 0/0, subflow:0/0, tot pkt:0
msn: running: 0/0, subflow:0/0, tot pkt:0
paltalk: running: 0/0, subflow:0/0, tot pkt:0
arp: running: 0/0, subflow:0/0, tot pkt:0
paltalk_exp: running: 0/0, subflow:0/0, tot pkt:0
radiotap: running: 0/0, subflow:0/0, tot pkt:0
icmpv6: running: 0/0, subflow:0/0, tot pkt:0
tcp-grb: running: 0/0, subflow:0/0, tot pkt:0
udp-grb: running: 0/0, subflow:0/0, tot pkt:0
Pei inserted: 0
Pei to be insert: 0
Fthread: 1/100
Flows: 1
Groups: 1/100
Dns DB: ip number: 0, name number: 0, total size: 200000
Data source: /root/example2.pcap
Cap. time: Wed Oct 31 08:14:23 2007
pcapf: running: 0/0, subflow:0/0, tot pkt:1910
pol: running: 0/0, subflow:0/0, tot pkt:0
eth: running: 0/0, subflow:0/0, tot pkt:1910
pppoe: running: 0/0, subflow:0/0, tot pkt:0
ppp: running: 0/0, subflow:0/0, tot pkt:0
ip: running: 0/0, subflow:0/0, tot pkt:1910
ipv6: running: 0/0, subflow:0/0, tot pkt:0
tcp: running: 0/0, subflow:0/0, tot pkt:0
udp: running: 0/0, subflow:0/50, tot pkt:1906
http: running: 0/0, subflow:0/0, tot pkt:0
pop: running: 0/0, subflow:0/0, tot pkt:0
imap: running: 0/0, subflow:0/0, tot pkt:0
smtp: running: 0/0, subflow:0/0, tot pkt:0
httpfd: running: 0/0, subflow:0/0, tot pkt:0
sip: running: 3/3, subflow:0/0, tot pkt:0
rtp: running: 0/0, subflow:0/0, tot pkt:0
rtcp: running: 0/0, subflow:0/0, tot pkt:0
sdp: running: 0/0, subflow:0/0, tot pkt:2
l2tp: running: 0/0, subflow:0/0, tot pkt:0
vlan: running: 0/0, subflow:0/0, tot pkt:0
ftp: running: 0/0, subflow:0/0, tot pkt:0
dns: running: 0/0, subflow:0/0, tot pkt:0
icmp: running: 0/0, subflow:0/0, tot pkt:4
nntp: running: 0/0, subflow:0/0, tot pkt:0
irc: running: 0/0, subflow:0/0, tot pkt:0
ipp: running: 0/0, subflow:0/0, tot pkt:0
pjl: running: 0/0, subflow:0/0, tot pkt:0
mms: running: 0/0, subflow:0/0, tot pkt:0
sll: running: 0/0, subflow:0/0, tot pkt:0
tftp: running: 0/0, subflow:0/0, tot pkt:0
wlan: running: 0/0, subflow:0/0, tot pkt:0
llc: running: 0/0, subflow:0/0, tot pkt:0
fbwchat: running: 0/0, subflow:0/0, tot pkt:0
telnet: running: 0/0, subflow:0/0, tot pkt:0
webmail: running: 0/0, subflow:0/0, tot pkt:0
msn: running: 0/0, subflow:0/0, tot pkt:0
paltalk: running: 0/0, subflow:0/0, tot pkt:0
arp: running: 0/0, subflow:0/0, tot pkt:0
paltalk_exp: running: 0/0, subflow:0/0, tot pkt:0
radiotap: running: 0/0, subflow:0/0, tot pkt:0
icmpv6: running: 0/0, subflow:0/0, tot pkt:0
tcp-grb: running: 0/0, subflow:0/0, tot pkt:0
udp-grb: running: 1/1, subflow:0/0, tot pkt:0
Pei inserted: 2
Pei to be insert: 0
Fthread: 3/100
Flows: 4
Groups: 2/100
Dns DB: ip number: 0, name number: 0, total size: 200000
Data source: /root/example2.pcap
Cap. time: Wed Oct 31 08:14:44 2007
pcapf: running: 0/0, subflow:0/0, tot pkt:1910
pol: running: 0/0, subflow:0/0, tot pkt:0
eth: running: 0/0, subflow:0/0, tot pkt:1910
pppoe: running: 0/0, subflow:0/0, tot pkt:0
ppp: running: 0/0, subflow:0/0, tot pkt:0
ip: running: 0/0, subflow:0/0, tot pkt:1910
ipv6: running: 0/0, subflow:0/0, tot pkt:0
tcp: running: 0/0, subflow:0/0, tot pkt:0
udp: running: 0/0, subflow:0/50, tot pkt:1906
http: running: 0/0, subflow:0/0, tot pkt:0
pop: running: 0/0, subflow:0/0, tot pkt:0
imap: running: 0/0, subflow:0/0, tot pkt:0
smtp: running: 0/0, subflow:0/0, tot pkt:0
httpfd: running: 0/0, subflow:0/0, tot pkt:0
sip: running: 0/3, subflow:0/0, tot pkt:1902
rtp: running: 0/0, subflow:0/0, tot pkt:0
rtcp: running: 0/0, subflow:0/0, tot pkt:0
sdp: running: 0/0, subflow:0/0, tot pkt:2
l2tp: running: 0/0, subflow:0/0, tot pkt:0
vlan: running: 0/0, subflow:0/0, tot pkt:0
ftp: running: 0/0, subflow:0/0, tot pkt:0
dns: running: 0/0, subflow:0/0, tot pkt:0
icmp: running: 0/0, subflow:0/0, tot pkt:4
nntp: running: 0/0, subflow:0/0, tot pkt:0
irc: running: 0/0, subflow:0/0, tot pkt:0
ipp: running: 0/0, subflow:0/0, tot pkt:0
pjl: running: 0/0, subflow:0/0, tot pkt:0
mms: running: 0/0, subflow:0/0, tot pkt:0
sll: running: 0/0, subflow:0/0, tot pkt:0
tftp: running: 0/0, subflow:0/0, tot pkt:0
wlan: running: 0/0, subflow:0/0, tot pkt:0
llc: running: 0/0, subflow:0/0, tot pkt:0
fbwchat: running: 0/0, subflow:0/0, tot pkt:0
telnet: running: 0/0, subflow:0/0, tot pkt:0
webmail: running: 0/0, subflow:0/0, tot pkt:0
msn: running: 0/0, subflow:0/0, tot pkt:0
paltalk: running: 0/0, subflow:0/0, tot pkt:0
arp: running: 0/0, subflow:0/0, tot pkt:0
paltalk_exp: running: 0/0, subflow:0/0, tot pkt:0
radiotap: running: 0/0, subflow:0/0, tot pkt:0
icmpv6: running: 0/0, subflow:0/0, tot pkt:0
tcp-grb: running: 0/0, subflow:0/0, tot pkt:0
udp-grb: running: 0/1, subflow:0/0, tot pkt:4
Pei inserted: 4
Pei to be insert: 0
Fthread: 0/100
Flows: 0
Groups: 0/100
Dns DB: ip number: 0, name number: 0, total size: 200000
Data source: /root/example2.pcap
Cap. time: Wed Oct 31 08:14:44 2007
Total elaboration time: 3s
root@bt:/opt/xplico/bin#
[/expand]
Notice there are primarily SIP packets however there are also a couple SDP packets and a couple ICMP packets. The primary benefits of Xplico appear to be related to the Xplico web GUI however if you needed to know how many UDP/TCP packets or some specific protocol in the Xplico Protocol Tree were in a PCAP file quickly you could do so with Xplico from the CLI.
If anyone has any use case scenarios with Xplico that they are willing to share we would love to hear them below!
