View unanswered posts | View active topics It is currently Tue Oct 15, 2019 10:23 pm



Post new topic Reply to topic  [ 7 posts ] 
 Question regarding pcap size, xplico and splitting 
Author Message

Joined: Tue Aug 17, 2010 9:37 am
Posts: 4
Reply with quote
Post Question regarding pcap size, xplico and splitting
Hello,

I have some questions about these topics as I'm going to use xplico:

  • What is the maximum size of a pcap file to be uploaded (independent from php.ini settings) ?
  • I tried to split a pcap file but it failed, what do you use on Debian for this purpose and how do you use it ? Could you give me an example ?
  • Is there any issue to launch/ise xplico via sqlite_demo.sh on a regular basis ?

Many thanks,
Regards,
RedVivi


Mon Aug 23, 2010 9:48 am
Profile

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post Re: Question regarding pcap size, xplico and splitting
redvivi wrote:
Hello,

I have some questions about these topics as I'm going to use xplico:

  • I tried to split a pcap file but it failed, what do you use on Debian for this purpose and how do you use it ? Could you give me an example ?


In Wireshark, you can store traffic in separate files with specifying maximum size of each pcap file.

About xplico, i am not sure, but i think pcap files is generated based on flow_id(src_ip, src_port, dest_ip, dest_port) for each content, for example a flash movie on a web page has a flow_id that using it, pcap is generated.


Mon Aug 23, 2010 11:42 am
Profile

Joined: Tue Aug 17, 2010 9:37 am
Posts: 4
Reply with quote
Post Re: Question regarding pcap size, xplico and splitting
rp_exploit wrote:
In Wireshark, you can store traffic in separate files with specifying maximum size of each pcap file.


I ran into problem while trying to install the package because aptitude wants to install ubuntu1.0.1 package or something similar. That's why I use tcpdump.

rp_exploit wrote:
About xplico, i am not sure, but i think pcap files is generated based on flow_id(src_ip, src_port, dest_ip, dest_port) for each content, for example a flash movie on a web page has a flow_id that using it, pcap is generated.


Do you mean it has something to do with memory usage, limiting the maximum size of a processed pcap file ?


Mon Aug 23, 2010 11:50 am
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: Question regarding pcap size, xplico and splitting
redvivi wrote:
What is the maximum size of a pcap file to be uploaded (independent from php.ini settings) ?

Till where i knwo, there are not limits. And you can process the PCAPs files from the console line interface, so never mind about the web server and php.ini.

redvivi wrote:
I tried to split a pcap file but it failed, what do you use on Debian for this purpose and how do you use it ? Could you give me an example ?

You can use "editcap", included in Wireshark, but take care using it, it may create new problems: imagine you split a JPG in two PCAPs, you'll never get the real image.

redvivi wrote:
Is there any issue to launch/ise xplico via sqlite_demo.sh on a regular basis ?

I don't understand u, do you mean starting Xplico form CLI? You have more documentation and examples at http://wiki.xplico.org/doku.php ("Use Xplico" section).

Carlos.


Mon Aug 23, 2010 1:01 pm
Profile

Joined: Tue Aug 17, 2010 9:37 am
Posts: 4
Reply with quote
Post Re: Question regarding pcap size, xplico and splitting
carlos.gacimartin wrote:
Till where i knwo, there are not limits. And you can process the PCAPs files from the console line interface, so never mind about the web server and php.ini.


I can process from the CLI but can I get the pcap analysis via the web UI if I use the CLI ?

carlos.gacimartin wrote:
Is there any issue to launch/ise xplico via sqlite_demo.sh on a regular basis ?

I don't understand u, do you mean starting Xplico form CLI? You have more documentation and examples at http://wiki.xplico.org/doku.php ("Use Xplico" section).


I mean, I start Xplico with sh /opt/.../sqlite_demo.sh. I don't know if it's the "official" and proper manner to start it.

Thanks a lot,
RedVivi


Mon Aug 23, 2010 2:04 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Question regarding pcap size, xplico and splitting
Quote:
* What is the maximum size of a pcap file to be uploaded (independent from php.ini settings) ?

There are no limits. The only limit is the HD size.
The only thing to remember is that the current capture-module have no history (only the manipulators have history as the manipulator of EMULE) so if you divide a pcap then you have to process all pcaps at once, otherwise streams that are broken in two pcap will not be rebuilt.
Obviously you can make a capture-module that solutions to this problem, or alternatively change the management policies of the launch of Xplico (such as decoders) by Dema.


Tue Aug 24, 2010 8:58 am
Profile WWW

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post Re: Question regarding pcap size, xplico and splitting
Quote:
limiting the maximum size of a processed pcap file ?

No, it gets traffic for each flow_id separately, consequently generated pcap files are separated.

Quote:
I can process from the CLI but can I get the pcap analysis via the web UI if I use the CLI ?

Xplico has two mode: CLI & XI. They work separately so if you run cli, you can't use xi to see decoded traffic.


Tue Aug 24, 2010 9:15 am
Profile
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.