This tutorial will capture traffic on a local network with Wireshark and then forensics will be carried out with Xplico by using its intuitive web interface. These two tools are already included in Backtrack 5
Xplico is a Network Forensic Analysis Tool (NFAT), which is a software that reconstructs the contents of acquisitions performed with a packet sniffer (eg Wireshark, tcpdump, Netsniff-ng).Unlike the protocol analyzer, whose main characteristic is not the reconstruction of the data carried by the protocols, Xplico born expressly with the aim to reconstruct the protocols’s application data and it is able to recognize the protocols with a technique named Port Independent Protocol Identification (PIPI).
The name “xplico” refers to the latin verb explico and its significance.
Distributed under the GNU General Public License, Xplico is free software.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Originally named Ethereal, in May 2006 the project was renamed Wireshark due to trademark issues.
Wireshark is cross-platform, using the GTK+ widget toolkit to implement its user interface, and using pcap to capture packets; it runs on various Unix-like operating systems including Linux, Mac OS X, BSD, and Solaris, and on Microsoft Windows. There is also a terminal-based (non-GUI) version called TShark. Wireshark, and the other programs distributed with it such as TShark, are free software, released under the terms of the GNU General Public License.
Information obtained from :
Official Websites :
The first thing, We will run wireshark to capture network traffic with extension.pcap then save it so that we can interpret it with Xplico the Network forensic analysis software.
to capture traffic need to have it, then we will make surfing the net flow, also wireshark works in the background, I mean if we had punctured the wireless network would see the traffic that the attacker is building and so we could detect it.
after obtaining traffic from our network with extension.pcap save it in a place where we find him to analyse it with Xplico then, in my case it keeps on the desktop.
Xplico run backtrack from the menu.
copy the address of the local host in the browser so that Xplico’s web interface can appear.
The default user is xplico and the password is xplico
the first thing to do is create a new case.
once created, it will ask to create new listening session for analysis.
open the add new event created to keep above the archivo.pcap to capture the traffic with wireshark.
then we give that up and parses the file capture archivo.pcap wirshark
once we see the traffic analyzed previously captured image including the beginning of this tutorial,downloaded and accessed only normal pages but also wireshark capture protocols such as ftp and http, so if he had visited a ftp server from the network where this had we connected wireshark captures the username and the password, as also all kinds of network prtocolos.
I hope you liked and you find it useful ……. Morphiss-binbash