Overview and Architecture of the Xplico Network Forensics Tool

Xplico aims to reconstruct application data from captured network traffic, allowing extraction of emails (POP, IMAP, SMTP), HTTP content, and more; it is a network forensics tool rather than a simple protocol analyzer.

Features

Supports decoding of HTTP, SIP, IMAP, POP, SMTP, TCP, UDP and other protocols.

Protocol‑agnostic decoding detection.

Multithreaded processing.

Outputs data to SQLite or MySQL databases and also provides raw file output.

Provides XML descriptions of decoded streams.

Real‑time capture capability (hardware‑dependent).

TCP ACK verification.

DNS resolution.

No restrictions on input packet size.

Supports both IPv4 and IPv6.

Modular design where each function (input, decoder, output) is a separate module that can be freely combined.

Customizable decoder modules.

Composition

Decoding manager called DeMa .

IP decoder called Xplico .

A set of primary application decoders (e.g., HTTP decoder, SMTP decoder).

A result‑output interface.

The system is implemented in C, Python, PHP, and JavaScript.

Architecture

The overall architecture mirrors the composition above; data flows from a capture dissector to protocol analysis modules and finally to a dispatcher that exports the reconstructed information. Diagrams (images) illustrate the data‑flow and module relationships.

Decoding Manager (DeMa) Module

Normalizes input data.

Initializes decoder settings, history files, decoders, and allocators.

Starts decoders and allocators.

Operates decoders and allocators during processing.

Decoding Modules Overview

Decoders are modular, extensible, and configurable, designed to be independent of both input data formats and output data formats.

Three types of modules compose Xplico:

Capture modules (e.g., pcap for file capture, rltm for live capture).

Parsing modules that extract protocol‑specific information, organized per protocol (e.g., FTP, TCP).

Dispatch modules that export data to targets such as SQLite, PostgreSQL, directories, files, or network sockets.

Examples of parsing modules include an FTP parser that can store clear‑text session files and a TCP parser (named tcp_soft ) that handles stream synchronization issues.

Dispatch Module

To create a custom dispatcher, implement the interface defined in xplico-src/dispatch/dispatch.h , specifically the functions DispInit() , DispEnd() , and DispInsPei() . These functions handle initialization, cleanup, and insertion of PEI (Protocol Element Information) objects respectively.

PEI (Protocol Element Information)

PEI structures are defined in xplico-src/dispatch/include/pei.h and contain metadata and component lists. Each supported protocol has a parser that encodes decoded information into a PEI format, which can be a string or a file. Not all parsers generate PEI (e.g., TCP, IP, UDP, Ethernet parsers).

Manipulators

Manipulators can modify PEI objects before they are passed to the dispatcher, allowing custom processing or transformation of the extracted data.

Source: FreeBuf.COM