View unanswered posts | View active topics It is currently Wed Apr 24, 2019 10:13 pm



Post new topic Reply to topic  [ 13 posts ]  Go to page 1, 2  Next
 windows and linux pcap 
Author Message

Joined: Sun Mar 21, 2010 10:15 am
Posts: 6
Reply with quote
Post windows and linux pcap
hi...

xplico fails to decode pcap generated in linux.... lets say ubuntu 9.10(my machine). only pcaps generated in windows work.


Sun Mar 21, 2010 10:18 am
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: windows and linux pcap
Hello,
you are not giving so much information to study your problem. Xplico works fine with the PCAPs done in GNU/Linux, as all users in this forum have checked. By the way, how are you creating your captures en Linux?

Carlos


Sun Mar 21, 2010 8:44 pm
Profile

Joined: Sun Mar 21, 2010 10:15 am
Posts: 6
Reply with quote
Post Re: windows and linux pcap
hi

i am sorry if i missed out any step but, i used the deb package to install xplico also through the source... after that i changed the settings as per your configuration docs

to capture the data, i used wireshark in both linux and windows. while all the pcaps from windows machine were decoded none from linux are decoded properly. in linux, only dns part is working fine for me while using both cli and web interface. i used tcpdump after which i obtained all the data (ofcourse not as refined as yours) from the same pcap


Mon Mar 22, 2010 5:15 am
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: windows and linux pcap
Hello,
- which command are you using with tcpdump to capture data?
- Could you post a pcap example which is not being decoded?


Carlos.


Mon Mar 22, 2010 7:37 am
Profile

Joined: Tue Mar 23, 2010 1:13 am
Posts: 2
Reply with quote
Post Re: windows and linux pcap
I'm experiencing the same problem.

I've captured logs from a BSD based firewall using:
tcpdump -npi <interface> -Xs 1600 -w <outputfile>

This creates a pcap that openes successfully in Wireshark on both Linux and Windows.

Xplico scans the pcap but decodes only the DNS requests, ignoring all the other data.

This is being used via DEFT v5x.


Tue Mar 23, 2010 6:36 am
Profile

Joined: Sun Mar 21, 2010 10:15 am
Posts: 6
Reply with quote
Post Re: windows and linux pcap
well i used 'ngrep' , 'tcpdump', 'wireshark', etc..... all of them are working fine. but not xplico..... ya and i am unable to attach the file cuz its bit....but wait i will create another


Tue Mar 23, 2010 6:39 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: windows and linux pcap
Hi wraith and fox
If you post a pcap with a single TCP stream (HTTP) that is not decoded by Xplico, it will be easier to understand and then find the problem.

Ciao.
Gianluca


Tue Mar 23, 2010 7:29 am
Profile WWW

Joined: Sun Mar 21, 2010 10:15 am
Posts: 6
Reply with quote
Post Re: windows and linux pcap
hi check this out


contains youtube, google images, feeds

hey, i also found out that some of the pcap files generated in windows are not decoded. anyways check out the file that is attached


Attachments:
home.pcap.zip [1.28 MiB]
Downloaded 277 times
Tue Mar 23, 2010 8:03 am
Profile

Joined: Sun Mar 21, 2010 10:15 am
Posts: 6
Reply with quote
Post Re: windows and linux pcap
hi,

pretty sure that there are some files from windows cant be decoded. again i am not sure if its due to compilation or not.......

i checked out and found out some differences in the packets of windows and linux using ngrep


Tue Mar 23, 2010 9:40 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: windows and linux pcap
You pcap has two "problems":
  • some lost packets
  • TCP checksum errors
The first is an acquisition problem. The second problem is solved as follows: http://wiki.xplico.org/doku.php?id=tips ... rification

Ciao.
Gianluca


Tue Mar 23, 2010 11:49 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 13 posts ]  Go to page 1, 2  Next


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.