Xplico.org
http://forum.xplico.org/

I want to add IP at first of name of decoded files
http://forum.xplico.org/viewtopic.php?f=6&t=19
Page 1 of 1

Author:  Raamin [ Thu Oct 15, 2009 9:39 am ]
Post subject:  I want to add IP at first of name of decoded files

I want to add this feature to xplico:

Now xplico captures traffics, decodes traffics and generates decoded files with randomazie name.

I want to add source & destination IP at first of name of decoded files. For example xplico generete a file with this name:
Code:
flow_http_rs_body_125282009_0x8b6a250_2.xml

I want to edit filename to this:
Code:
srcip_dstip_flow_http_rs_body_125282009_0x8b6a250_2.xml

or changing this filename
Code:
smtp_1255588763_0xa0b9340_0.eml

to
Code:
srcip_dsnip_smtp_1255588763_0xa0b9340_0.eml


Please help me. Please give me related places in source code to add this feature to xplico.

Thank you for helping.

Author:  gianluca.costa [ Thu Oct 15, 2009 7:21 pm ]
Post subject:  Re: I want to add IP at first of name of decoded files

It is "simple", you can customize the dispatcher ;) .

If you use XI (and so DeMa) the dispatcher is "lite":
- cfg file: DISPATCH=disp_lite.so LOG=FEWITDS
- source code: dispatch/lite/lite.c
If you use Xplico in cli the dispatcher is "none":
- cfg file: DISPATCH=disp_none.so LOG=FEWITDS
- source code: dispatch/none/

If you use "none" then it is hard modify it, because it is empty :) . In the Wiki we will describe how to do it.
But if you use "lite" then for any protocol exist a function named DispProtocol. Inside this functions there is the call of "rename" function (es: rename(path, rep); ) . You can modify the name (rep) of the file in this place.
To find the IP in every DispProtocol there is a variable "ip" (type val) and with function FTString you can convert the "ip" in string format:
---> FTString(&ip, FT_IPv4, ip_string_buffer);
I suppose that IP is IPv4.
For the Port it is similar to IP, but first you must know what it means "Pkt info" in Xplico ( ./xplico -i tcp ) .

In the wiki in the coming weeks there will be information on the modules dispatcher.
... have a little patience.

Author:  Raamin [ Sat Oct 17, 2009 6:20 am ]
Post subject:  Re: I want to add IP at first of name of decoded files

My goal is only xplico in CLI.

When Xplico run in CLI, it can capture and decode traffics and generates files with randomize name. So should be places in source code that do decoding and saving files with randomize name.

If it is "none", how xplico in cli generate files with randomize name? Where is related places in source code that do this task? Does Xplico use lite.c?

Author:  gianluca.costa [ Sat Oct 17, 2009 7:07 am ]
Post subject:  Re: I want to add IP at first of name of decoded files

Xplico is designed so that everyone can format the output data as desired, without having to change any dissector. Hence we have the dispatcher that anyone can create or modify according to his needs. The dispacher is selectable from the configuration file (es: DISPATCH=disp_none.so LOG=FEWITDS).
So if you want different names for files or organize or using oracle as DB you need to modify or create your dispatcher.
Using the dispatcher (your or not) allows you to be always (theoretically) compatible with new versions of the Xplico and dissector.

If you have a little patience in the wiki and in the new release there will be what you ask.

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/