View unanswered posts | View active topics It is currently Sun Aug 18, 2019 5:51 pm



Post new topic Reply to topic  [ 6 posts ] 
 Dissectors development 
Author Message

Joined: Fri Mar 12, 2010 1:59 pm
Posts: 4
Reply with quote
Post Dissectors development
Hello everyone, first of all, congrats for the great job and for releasing this piece of software.

Yesterday i had the opportunity to meet Mr. Fratepietro, with whom i had the chance ask some questions about both DEFT and Xplico.

I think Xplico is a really interesting project and since it may fit my needs for some forensics activities i thought that it would be a good thing if i could contribute somehow.

Honestly i have very little free time, but it would be cool if i could learn how to develop dissectors to expand this tool with support for new protocols/applications.

so i decided to visit the wiki looking for some documentations on how the software is structured, but i couldn't find out much, so here comes my questions:

is Xplico plugins oriented? i mean is there a plugin interface on wich i can develop dissectors?
wich language is used by the applications on the dissector layer? python?
and also, is there some sort of documentations and examples? or i have to check up the sources?

sorry if my questions were tedious and for my bad english :)


Fri Mar 12, 2010 2:17 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Dissectors development
Hi Rampage,
Quote:
Honestly i have very little free time, but it would be cool if i could learn how to develop dissectors to expand this tool with support for new protocols/applications.

we too have little time and protocols (application protocols and not) in development are many.
Which protocols did you think?
Quote:
so i decided to visit the wiki looking for some documentations on how the software is structured, but i couldn't find out much, ...

... because of our short time.
Quote:
is Xplico plugins oriented?

If you mean the decoder, the answer is yes. Every part of the decoder is a plugin and then a module. In Xplico (decoder) distinguish 3 types of modules:
* Capture modules
* Dissector modules
* Dispatcher modules
Capture modules: allows interfacing (in theory) to any type of data acquisition system.

Dissector modules: are protocol decoders. These modules are divided in turn into various categories (it's complicated now explain how).

Dispatcher modules: allows interfacing (in theory) to any type of data storage system (Files, SQLiteDB, Oracle, MySQL, PostgreSQL, system storage with socket connection, ... space for the imagination), and all this easily and without modifying the protocol dissector (Dissector modules) .

Quote:
i mean is there a plugin interface on wich i can develop dissectors?

Yes.
Quote:
wich language is used by the applications on the dissector layer? python?

Only C for the decoder. Conversely Manipulators (developed in C) can use any type of script, and then language.
Quote:
and also, is there some sort of documentations and examples? or i have to check up the sources?

No. The simplest dissector is the Telnet because:
  • it consists of a single TCP stream
  • it has no PIPI technique implemented (we have not had time to finish it)
  • it has a simple PEI ( protocol elementary Information: it is the output of some Dissector modules and it is the input of any Dispatcher modules). To see the PEI element of a protocol: ./xplico -i <protocol>
  • it consists of little code
  • it is among the most recent and it correctly use the API of the Xplico core

Ciao.
Gianluca


Sat Mar 13, 2010 6:34 am
Profile WWW

Joined: Fri Mar 12, 2010 1:59 pm
Posts: 4
Reply with quote
Post Re: Dissectors development
Ciao Gianluca,

The protocols i am looking forward to see supported in Xplico are samba and for applications i was looking forward to gmail/gtalk.

Fratepietro told me that something was in the roadmap for gmail/gtalk so maybe interfering with this may only cause problems in coordinating the work.

Samba/nfs are a lot interesting even if they are complex to deal with, especially samba, but they are useful couse when you are conducting corporate forensics over the network fileservers are generally involved in 90% of the time, and recunstructing fileserver activity is really useful.

but i'm also aware that samba is complex to dissect due to the kerberos/encryption involvement when you are dealing with an active directory domain.

i think i'll need to study the software structure a lot before being able to start coding even the simpliest component for the easiest protocol available.

I'll look forward for documentations and code comments and suggestions on this forum and maybe i'll be able to cooperate.

also, for the non coding part, if there are other ways i can contribute i'll be really happy to put some effort into it :)


Sat Mar 13, 2010 3:01 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Dissectors development
Ciao Rampage,

Quote:
The protocols i am looking forward to see supported in Xplico are samba and for applications i was looking forward to gmail/gtalk.

Yes, it is in development .... very, very slowly ;) .

Quote:
Samba/nfs are a lot interesting even if they are complex to deal with, especially samba, but they are useful couse when you are conducting corporate forensics over the network fileservers are generally involved in 90% of the time, and recunstructing fileserver activity is really useful.

Well. These protocols are not in development.
Long ago I found this project that I never tried: http://mybox.trenger.ro/

Ciao.
Gianluca


Tue Mar 16, 2010 7:43 pm
Profile WWW

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: Dissectors development
Rampage wrote:
also, for the non coding part, if there are other ways i can contribute i'll be really happy to put some effort into it :)


Hello Rampage,
have you checked the to-do list?
http://sourceforge.net/tracker/?group_id=239471&atid=1110205

your help would be very useful, and i would work in the purpossed features together. In example, there are small fixes to do in the web interface.

Carlos.


Sat Mar 27, 2010 8:02 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Dissectors development (SMB files sniffing)
SMB files sniffing.
Useful link (and patch): http://www.taddong.com/en/lab.html
We are thinking of using this software for a new dissector ...

Ciao.
Gianluca


Mon May 31, 2010 6:10 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 6 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.