Xplico

Xplico serves as a specialized tool for network forensics, focusing on extracting meaningful application-layer data from captured network traffic rather than protocol analysis. Its primary goal is to reconstruct user activities and communications, such as POP/IMAP/SMTP emails, HTTP web contents, SIP/MGCP/H323 VoIP calls, FTP/TFTP transfers, and more, from pcap files or live captures.

Use cases include digital investigations where investigators need to recover application data from network dumps without manually parsing packets. It supports real-time traffic analysis via capture modules and integrates with web interfaces for visualization. Xplico differs from traditional protocol analyzers by emphasizing data extraction over low-level protocol dissection.

The tool comes with supporting binaries like manipulators (mfbc, mfile, etc.) for processing specific protocols and web UI components for service management.

Xplico processes pcap files or live interfaces using capture modules (e.g., rltm) to identify and extract application data from protocols like POP, IMAP, SMTP, HTTP, SIP, MGCP, H323, FTP, TFTP. It uses dissectors for each protocol to reconstruct sessions and contents, displaying decoding status for components like pcapf, pol, eth, pppoe, ppp, ip. Configuration is loaded from /opt/xplico/cfg/xplico_cli.cfg, and it incorporates GeoLite data for geolocation. Supporting manipulators handle specific data types, while the web UI provides access via Apache on port 9876.