Tool Documentation:
xplico Usage Examples
Use the rltm module (-m rltm) and analyze traffic on interface eth0 (-i eth0):
root@kali:~# xplico -m rltm -i eth0
xplico v1.0.1
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.
Copyright 2007-2012 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
Configuration file (/opt/xplico/cfg/xplico_cli.cfg) found!
GeoLiteCity.dat found!
pcapf: running: 0/0, subflow:0/0, tot pkt:1
pol: running: 0/0, subflow:0/0, tot pkt:0
eth: running: 0/0, subflow:0/0, tot pkt:1
pppoe: running: 0/0, subflow:0/0, tot pkt:0
ppp: running: 0/0, subflow:0/0, tot pkt:0
ip: running: 0/0, subflow:0/0, tot pkt:0
Packages and Binaries:
xplico
Network Forensic Analysis Tool (NFAT)
The goal of Xplico is extract from an internet traffic
capture the applications data contained. For example,
from a pcap file Xplico extracts each email (POP, IMAP,
and SMTP protocols), all HTTP contents, each VoIP call (SIP, MGCP, H323),
FTP, TFTP, and so on. Xplico is not a network protocol analyzer.
Installed size: 10.08 MB
How to install: sudo apt install xplico
Dependencies:
- apache2
- binfmt-support
- kali-defaults
- lame
- libapache2-mod-php
- libc6
- libjson-c5
- libmariadb3
- libmaxminddb0
- libndpi4.2t64
- libpcap0.8t64
- libpq5
- libsqlite3-0
- libssl3t64
- openssl
- php-cli
- php-common
- php-json
- php-sqlite3
- python3
- python3-httplib2
- python3-psycopg2
- recode
- sox
- sqlite3
- tshark
- zlib1g
mfbc
root@kali:~# mfbc -h
mfbc v1.2.2
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.
Copyright 2007-2019 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
usage: mfbc [-h] [-s] [-l] [-i] [-c <config_file>] -p <port>
-c config file
-s silent
-p connection port
-i info (PEI generated by this manipulator)
-l print all log in the screen
-h this help
NOTE: parameters MUST respect this order!
mfile
root@kali:~# mfile -h
mfile v1.2.2
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.
Copyright 2007-2019 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
usage: mfile [-h] [-s] [-l] [-i] [-c <config_file>] -p <port>
-c config file
-s silent
-p connection port
-i info (PEI generated by this manipulator)
-l print all log in the screen
-h this help
NOTE: parameters MUST respect this order!
mpaltalk
root@kali:~# mpaltalk -h
mpaltalk v1.2.2
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.
Copyright 2007-2019 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
usage: mpaltalk [-h] [-s] [-l] [-i] [-c <config_file>] -p <port>
-c config file
-s silent
-p connection port
-i info (PEI generated by this manipulator)
-l print all log in the screen
-h this help
NOTE: parameters MUST respect this order!
mwmail
root@kali:~# mwmail -h
mwmail v1.2.2
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.
Copyright 2007-2019 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
usage: mwmail [-h] [-s] [-l] [-i] [-c <config_file>] -p <port>
-c config file
-s silent
-p connection port
-i info (PEI generated by this manipulator)
-l print all log in the screen
-h this help
NOTE: parameters MUST respect this order!
trigcap
root@kali:~# trigcap -h
usage: trigcap [-v] -f <input_file> -t <pkt num> -b <pkt numbers before> -a <pkt numbers after> -o <output_file> [-h]
-v version
-f input pcap file
-t trigger packet number
-b packet numbers before trigger packet
-a packet numbers after trigger packet
-o output pcap file
-h this help
xplico
root@kali:~# xplico -h
xplico v1.2.2
Internet Traffic Decoder (NFAT).
See http://www.xplico.org for more information.
Copyright 2007-2019 Gianluca Costa & Andrea de Franceschi and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
This product includes GeoLite data created by MaxMind, available from http://www.maxmind.com/.
usage: xplico [-v] [-c <config_file>] [-h] [-s] [-g] [-l] [-i <prot>] -m <capute_module>
-v version
-c config file
-h this help
-i info of protocol 'prot'
-g display graph-tree of protocols
-l print all log in the screen
-s print every second the deconding status
-m capture type module
NOTE: parameters MUST respect this order!
xplico-webui
root@kali:~# xplico-webui -h
┏━(Message from Kali developers)
┃
┃ The command xplico-webui is deprecated. Please use xplico-webui-start instead.
┃
┗━
xplico-webui-start
root@kali:~# xplico-webui-start --help
┏━(Message from Kali developers)
┃
┃ Service status:
┃ * xplico.service - Xplico
┃ Loaded: loaded (/usr/lib/systemd/system/xplico.service; 5:185mdisabled; preset: 5:185mdisabled)
┃ Active: active (running) since Wed 2026-05-27 07:24:12 EDT; 136ms ago
┃ Invocation: e6443d029ae34656bd3affa80d94a421
┃ Docs: https://www.xplico.org/docs
┃ Process: 879821 ExecStart=/opt/xplico/bin/dema -d /opt/xplico -b sqlite (code=exited, status=0/SUCCESS)
┃ Main PID: 879848 (dema)
┃ Tasks: 15:245m (limit: 9276)
┃ Memory: 2.6M (peak: 3.1M)
┃ CPU: 288ms
┃ CGroup: /system.slice/xplico.service
┃ `-5:245m879848 /opt/xplico/bin/dema -d /opt/xplico -b sqlite
┃
┃ May 27 07:24:12 kali systemd[1]: Starting xplico.service - Xplico...
┃ May 27 07:24:12 kali systemd[1]: xplico.service: Can't open PID file '/run/dema.pid' (yet?) after start: No such file or directory
┃ May 27 07:24:12 kali systemd[1]: Started xplico.service - Xplico.
┃
┗━
xplico-webui-stop
root@kali:~# xplico-webui-stop -h
┏━(Message from Kali developers)
┃
┃ Service status:
┃ * xplico.service - Xplico
┃ Loaded: loaded (/usr/lib/systemd/system/xplico.service; 5:185mdisabled; preset: 5:185mdisabled)
┃ Active: inactive (dead)
┃ Docs: https://www.xplico.org/docs
┃
┃ May 27 07:24:10 kali systemd[1]: Started xplico.service - Xplico.
┃ May 27 07:24:11 kali systemd[1]: xplico.service: Deactivated successfully.
┃ May 27 07:24:12 kali systemd[1]: xplico.service: Scheduled restart job, restart counter is at 1.
┃ May 27 07:24:12 kali systemd[1]: Stopped xplico.service - Xplico.
┃ May 27 07:24:12 kali systemd[1]: Starting xplico.service - Xplico...
┃ May 27 07:24:12 kali systemd[1]: xplico.service: Can't open PID file '/run/dema.pid' (yet?) after start: No such file or directory
┃ May 27 07:24:12 kali systemd[1]: Started xplico.service - Xplico.
┃ May 27 07:24:13 kali systemd[1]: Stopping xplico.service - Xplico...
┃ May 27 07:24:13 kali systemd[1]: xplico.service: Deactivated successfully.
┃ May 27 07:24:13 kali systemd[1]: Stopped xplico.service - Xplico.
┃
┗━
Updated on: 2026-May-25