oguzy edited this page Apr 27, 2012 · 2 revisions
Clone this wiki locally


  • Previewing the payload in different formats: Either in raw format or reconstructing the session

"So for example, if you wanted to view an email, you can either view it with the “mail” reconstruction, or just view the raw text formatting if you want to see all the headers and the network handshake. If the mail has an attachment, there is a button that will give you the options of opening the file or saving it to disk. Furthermore, if there is audio content in the session, there is a button in the toolbar that will reconstruct it and play it back. This toolbar really makes digging through content much faster, and gives you the ability to see one piece of evidence from many different perspectives." from

  • Extracting from pcap: Either pcap itself or the payload data reconstructed like email attachments, email itself, ...

There will be problems about reconstructing the sessions and displaying them. Xplico is said to be doing the session construction very good.

  • Filters: Searching according to keywords, and some other fields of the packet

  • Packet display should include: Hosts, Files, Images, Credentials, etc.

  • API implementation so that external sites may use the API to upload and analyze the traffic