View unanswered posts | View active topics It is currently Fri Nov 24, 2017 8:07 pm



Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next
 Session reconstruction 
Author Message

Joined: Mon Mar 29, 2010 12:26 pm
Posts: 16
Reply with quote
Post Session reconstruction
Hello,

how high is session-reconstruction on the to-do list?

Thank's

Bill


-------------------------------
something like or similar like described on: http://www.eeye.com/iris

Session Reconstruction

Most packet capture solutions and network sniffers only display raw packets and leave it to the user to decode and determine the potential problems they represent. Iris collects network traffic and reassembles it as its native session based format, enabling users to quickly and easily make business decisions based on the service it was providing. Iris users can present the actual text of an email, as well as any attachments, exactly as it was sent. It provides reconstruction of full HTML pages that an end users visited and reconstruction of cookies for entry into password-protected websites. Iris will even display bi-directional instant messaging communications allowing full session reconstruction as the end user sees it


Tue Oct 05, 2010 6:29 pm
Profile

Joined: Wed Sep 16, 2009 10:45 pm
Posts: 128
Reply with quote
Post Re: Session reconstruction
Bill, all that and more is already developed in Xplico, why don't you try it?


Tue Oct 05, 2010 9:32 pm
Profile

Joined: Mon Mar 29, 2010 12:26 pm
Posts: 16
Reply with quote
Post Re: Session reconstruction
Thank's for the feedback! Ok i tried it (with DEFT Linux 6) by loading a *.cap file (produced with airodump-ng) into
Xplico. But even the cap file is not encrypted, not data is shown in any of the categories... neither the session is
reconstructed in any way.

What I am doing wrong?


Thank's a lot for any feedback!

Bill


Thu Dec 23, 2010 3:35 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Session reconstruction
in your pcap can be a protocol not decoded by Xplico. Can you provide a pcap (produced with airodump-ng) with a single TCP stream (possibly HTTP)?

Ciao.
Gianluca


Fri Dec 24, 2010 6:57 am
Profile WWW

Joined: Mon Mar 29, 2010 12:26 pm
Posts: 16
Reply with quote
Post Re: Session reconstruction
carlos.gacimartin wrote:
Bill, all that and more is already developed in Xplico, why don't you try it?


Hello,

I loaded "Xplico sample pcap captures download" and can see many pics, emails and other traffic what is perfect for the most of cases/needs.

But with "session reconstruction" I expected full session reconstruction as the end user sees it...


Am I doing something wrong?

Bill


Fri May 20, 2011 11:53 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Session reconstruction
The html "session reconstruction" is present in Xplico. Xplico is able to emulate the browser user cache.
To active html "session reconstruction" you must enable, in your browser, the proxy (localhost and 9876 as port).


Fri May 20, 2011 12:25 pm
Profile WWW

Joined: Mon Mar 29, 2010 12:26 pm
Posts: 16
Reply with quote
Post Re: Session reconstruction
gianluca.costa wrote:
The html "session reconstruction" is present in Xplico. Xplico is able to emulate the browser user cache.
To active html "session reconstruction" you must enable, in your browser, the proxy (localhost and 9876 as port).


Thank's a lot Gianluca for your help!

Now the following messages is displayed:
"For a complete view of html-page set your browser to use Proxy, and point it to Web server"


As I understand, I have to connect to the same webserver as the monitored person in question did before, in order to get a "real view what happend"?


Thank's for any help!

Bill


Fri May 27, 2011 1:30 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Session reconstruction
Quote:
As I understand, I have to connect to the same webserver as the monitored person in question did before, in order to get a "real view what happend"?

No... if I understand correctly your question.
The step to flow are:
  • set the browser proxy to localhost (or the IP where is running xplico) with port 9876
  • use thefollowing to url and make login:
    localhost:9876 or <IP>:9876
    it is a must the IP and not the name of the server!
  • after selecting the "case" and the "session" go from menu to "Web" page
  • click on the url to display
Xplico regenerate the page with all the data (as well as saw the person monitored) of course if and only if all data were collected in capture.

This is an example: http://www.xplico.org/wp-content/upload ... lico_2.png
Some others info about pcap web page reconstruction and visualization: http://wiki.xplico.org/doku.php?id=web_interface#web

Ciao.
Gianluca


Sat May 28, 2011 6:29 am
Profile WWW

Joined: Mon Mar 29, 2010 12:26 pm
Posts: 16
Reply with quote
Post Re: Session reconstruction
Thank's a lot Gianluca for your help!

unfortunately web pages from "the Xplico sample pcap captures download" are not loaded as shown in

http://www.xplico.org/wp-content/upload ... lico_2.png


Pls see attachment (Firefox proxy settings)


Thank you!

Bill


You do not have the required permissions to view the files attached to this post.


Thu Jun 30, 2011 3:00 pm
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: Session reconstruction
Hi,
remove "localhost, 127.0.0.1" from "No Proxy For:"

Ciao.


Thu Jun 30, 2011 9:15 pm
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 12 posts ]  Go to page 1, 2  Next


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.