In this exercise, we upload the HTTP (web) (xplico.org_sample_capture_web_must_use_xplico_nc.cfg.pcap) sample packet capture file.
For this HTTP analysis, we use Xplico to search for artifacts associated with the HTTP protocol such as URLs, images from websites, and possible browser-related activities.
Once Xplico has been started, log in using the following credentials:
- Username: xplico
- Password: xplico
We then choose New Case from the menu on the left and select the Uploading PCAP capture file/s button as we will be uploading files and not performing live captures or acquisition. For each case we must also specify a Case name:
In the following screenshot, I have entered HTTP-WEB for the Case name. Click Create to continue. The case HTTPWEB has now been created. Click HTTPWEB to continue to the Session screen:
Now we create a new session for this instance of our case by clicking the New Session option in the menu to the left:
We give our session a name and click Create to continue:
Our new session has been created with the name HTTPWEB:
Once our case and session details have been entered, we are presented with the main Xplico interface window, which displays the various categories of possible artifacts found, after our .pcap file has been uploaded and decoded including the HTTP, DNS, Web Mail and Facebook categories:
To upload our .pcap file, click the Browse... button in the Pcap set area to the top right, choose the downloaded (xplico.org_sample_capture_web_must_use_xplico_nc.cfg.pcap) .pcap file and then click the Upload button to begin the decoding process in Xplico:
The decoding process can take a while depending on the size of the .pcap file as this process decodes the .pcap file into easily searchable categories within Xplico. Once finished, the Status field in the Session Data area reads DECODING COMPLETED and also displays the details of the Case and Session name and Capture (Cap) start and end times:
After the decoding is completed, the results are then displayed in the various category areas. In the following screenshot we can see that there is an entry in the Undecoded category under Text flows:
To analyze the decoded results, we use the menu to the extreme left of the Xplico interface. Seeing that we have results listed in the Undecoded category, click Undecoded in the menu, which expands into the TCP-UDP and Dig sub-menus. Click the TCP-UDP sub-menu to explore further:
The TCP-UDP option reveals destination IP, port, date and time, duration of connection, and an info file with more details. The destination IP entries marked in red can be clicked and also explored further:
If we click the first destination IP entry, 74.125.77.100, we are prompted to save information details of this entry in a text file:
To view the contents of the file we can either open it directly from the saved location or use the cat command to display the contents within a Terminal by typing cat /root/Downloads/undecoded_15.txt:
The results displayed in the previous Terminal window show that a .gif image was viewed or downloaded on Wed 09 December, 2009.
We can also click the info.xml link under the Info column to obtain more information:
The info.xml shows the source and destination IP addresses and port numbers. We can now explore all destination IP addresses and their respective info.xml files to gather more information for our case:
Let's go back to the Undecoded menu on the left and click the Dig sub-menu to explore our capture file further:
In the previous screenshot, the Dig sub-menu reveals several image artifacts in the form of .gif, .tif, and .jpg formats along with the dates viewed through an HTTP connection.
The images should be viewed and documented as part of our case findings:
