Xplico: An intro

Prerequisites: 

Prerequisites:

1. Backtrack 4 - (Just for the sake of the tutorial)
2. Network Traffic or capture files
3. Apache
4. Configured Network interface(s)
5. Web Browser - For the sake of the tutorial we'll just deal with the WEBGUI, but there IS a console mode.

Link to the Wiki: http://wiki.xplico.org/doku.php
Direct FROM the wiki ^

Xplico code depends of these libraries:

* Pcap Library: libpcap
* SQLite Library: libsqlite3
* MySQL C API Library: libmysqlclient_r
* Zlib: zlib1g-dev
Xplico depends also by these applications:

* SoX - Sound eXchange
* Lame MP3 Encoder

For the sake of Backtrack 4 Apt-get will take care of this.

Installation:
=======

1. Installing Xplico:
apt-get install xplico

2. Mod your apache config. Change the lines to reflect 100M as shown below.

vi /etc/php5/apache2/php.ini

; Maximum size of POST data that PHP will accept.
post_max_size = 100M

; Maximum allowed size for uploaded files.
upload_max_filesize = 100M

3. Start Apache:
/etc/init.d/apache2 start
You can also start this service from the GUI
Kmenu > Services > HTTPD > Start HTTPD

Connecting and Using Xplico:
==================

4. For the sake of the tutorial we'll just deal with the WEBGUI
Open your browser to 127.0.0.1:9876

SoldierX

5. Login
u: xplico
p: xplico

Main Page

some_text

6. Create a new Case, For "case name" call it "IluvEverestX' (Ok J/k, name it whatever)
-- Please note: At this point you need to decide if you are going to feed Xplico pcap's or gather live production data.
-- Select whichever one you want.

some_text

7. Create a new Session call it "Demo"

LIVE or From PCAP:
============

8a. If you selected "Live acquisition"

Once you open the new Session it will look like this, Select your adapter in top right corner. In my Case Eth0, Select Start and watch the Magic happen. Stop the capture whenever you like.

some_text

8b. If you selected "From Pcap"
Xplico has a very nice set of test pcap files found below
http://wiki.xplico.org/doku.php?id=pcap:pcap

Below for example I'm using the "SAMPLE OF ALL PROTOCOLS SUPPORTED IN XPLICO 0.5.5" file. This is a great way to familiarize your self with the functions of Xplico.

Upload the file and watch it start decoding, when its done you will see the various protocols populated.

some_text

A brief look at examples:
================

Http:
some_text

Http files:
some_text

Contents of Emails:
some_text

Telnet Sessions:
some_text

END:
===

There are many more options in XPLICO that I have not covered (such as viewing Facebook chats, and voip), some devious configurations, and some advanced tactics you can use for stripping SSL as well as force the traffic to your xplico host. See some of my other tutorials for Ideas.

Images: