View unanswered posts | View active topics It is currently Fri Nov 24, 2017 10:07 pm



Post new topic Reply to topic  [ 4 posts ] 
 I want to add IP at first of name of decoded files 
Author Message

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post I want to add IP at first of name of decoded files
I want to add this feature to xplico:

Now xplico captures traffics, decodes traffics and generates decoded files with randomazie name.

I want to add source & destination IP at first of name of decoded files. For example xplico generete a file with this name:
Code:
flow_http_rs_body_125282009_0x8b6a250_2.xml

I want to edit filename to this:
Code:
srcip_dstip_flow_http_rs_body_125282009_0x8b6a250_2.xml

or changing this filename
Code:
smtp_1255588763_0xa0b9340_0.eml

to
Code:
srcip_dsnip_smtp_1255588763_0xa0b9340_0.eml


Please help me. Please give me related places in source code to add this feature to xplico.

Thank you for helping.


Thu Oct 15, 2009 9:39 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: I want to add IP at first of name of decoded files
It is "simple", you can customize the dispatcher ;) .

If you use XI (and so DeMa) the dispatcher is "lite":
- cfg file: DISPATCH=disp_lite.so LOG=FEWITDS
- source code: dispatch/lite/lite.c
If you use Xplico in cli the dispatcher is "none":
- cfg file: DISPATCH=disp_none.so LOG=FEWITDS
- source code: dispatch/none/

If you use "none" then it is hard modify it, because it is empty :) . In the Wiki we will describe how to do it.
But if you use "lite" then for any protocol exist a function named DispProtocol. Inside this functions there is the call of "rename" function (es: rename(path, rep); ) . You can modify the name (rep) of the file in this place.
To find the IP in every DispProtocol there is a variable "ip" (type val) and with function FTString you can convert the "ip" in string format:
---> FTString(&ip, FT_IPv4, ip_string_buffer);
I suppose that IP is IPv4.
For the Port it is similar to IP, but first you must know what it means "Pkt info" in Xplico ( ./xplico -i tcp ) .

In the wiki in the coming weeks there will be information on the modules dispatcher.
... have a little patience.


Thu Oct 15, 2009 7:21 pm
Profile WWW

Joined: Sat Oct 10, 2009 10:04 am
Posts: 38
Reply with quote
Post Re: I want to add IP at first of name of decoded files
My goal is only xplico in CLI.

When Xplico run in CLI, it can capture and decode traffics and generates files with randomize name. So should be places in source code that do decoding and saving files with randomize name.

If it is "none", how xplico in cli generate files with randomize name? Where is related places in source code that do this task? Does Xplico use lite.c?


Sat Oct 17, 2009 6:20 am
Profile
Site Admin

Joined: Wed Sep 16, 2009 10:09 pm
Posts: 394
Reply with quote
Post Re: I want to add IP at first of name of decoded files
Xplico is designed so that everyone can format the output data as desired, without having to change any dissector. Hence we have the dispatcher that anyone can create or modify according to his needs. The dispacher is selectable from the configuration file (es: DISPATCH=disp_none.so LOG=FEWITDS).
So if you want different names for files or organize or using oracle as DB you need to modify or create your dispatcher.
Using the dispatcher (your or not) allows you to be always (theoretically) compatible with new versions of the Xplico and dissector.

If you have a little patience in the wiki and in the new release there will be what you ask.


Sat Oct 17, 2009 7:07 am
Profile WWW
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group.
Designed by Vjacheslav Trushkin for Free Forums/DivisionCore.