Saturday, March 05, 2011

Xplico & VirtualBox Headaches - Part II

Yes.  I know.  I really know.

I’ve promised a post on the wondermous Network Forensic Analysis Tool (NFAT) Xplico.

When it’s working, it is an outstanding tool, particularly when you have to take some of your PCAP files from the analysis bench into the boardroom and present findings in a way decision makers can relate to after an incident or network analysis review.

I started out cutting my teeth by using the 0.5.x builds directly in the DEFT Linux LiveCD builds.  Then I started playing around with the Xplico-provided VirtualBox Image builds including the new 0.6.x versions.

I was all set to start writing a post…when I was surprised at work to suddenly be getting no-boot errors on the VirtualBox vmdk drives I had some cases going on on my XP system.  Attempts to reload VirtualBox (from the 3.2.x version to the latest 4.0 versions) and/or redownload and deploy the various Xplico-provided vmdk images were unsuccessful…despite all the MD5 download hashes matching…even on different XP systems.

Fortunately, I was still going strong on my home system’s VirtualBox vmdk images for Xplico where I had some community-provided PCAP files to use for the post.

Only last weekend, when I launched them, they too experienced the same error.

image

Above: The killer-diller error.  Brand new, first-launch of Xplico’s latest VirtualBox 0.6.1 image/appliance.  Note that right after setting the system clock and activating the swap file fsck does a forced check saying the drive hasn’t been checked in over 249 days… Same thing in both VirtualBox 3.2.x builds as well as the latest 4.0.x releases; XP/Win7..doesn’t matter.

image

Above: After the original error, the damage has been done and now I get this every Xplico VirtualBox Image boot.

So now I was left with trying to use Xplico directly off the DEFT LiveCD builds.  Only the previous version of Xplico in the DEFT 5 was an older version and didn’t seem to render the images in the rebuilt web-page sessions, nor Xplico in DEFT 6 which seems to run, but for some reason all attempts to upload PCAPS failed (I think it is an apache issue as the terminal window never closes like it does on the DEFT 5 LiveCD build).

Double Bummer!  Particularly after feeling a bit better having overcome this DEFT 6 and VirtualBox: Maybe it’s just me? issue a few months ago.

Now, while I got started in the early days of LiveCD building by hand-building custom Knoppix (Damn Small Linux) boot CD’s, I’m just a few levels above “noobie” when it comes to Linux building, working, and troubleshooting.

As the images presented earlier capture, the whole issue seems to be that when I ran any of the VirtualBox vdmk images, during the boot process a diskcheck (fsck) was/is triggered due to some kind of date/clock-time stamp.  It claims I haven’t used these in over 258 days…thus triggering the fsck.  Only if I do run a manual fsck as suggested, it claims to find a bunch of stuff “bad” and “fixes” it all.  Only upon reboot the system is hosed.

I know there are ways to Skip or Bypass a Fsck but despite my best attempts, I couldn’t get grub to cooperate with me.

So now I was really frustrated.  I was/am still unable to get the (really nice when running) VirtualBox images directly from Xplico working.  And the versions in the LiveCd’s from DEFT, while nice, aren’t really a convenient environment for real and persistent NFA case work.  Based on previous work with Xplico I know that it can deliver and deliver very well…only I felt like I was running lame with any of these current solutions.

So that meant I had one last possibility (at least as far as I knew at the time)…roll my own “installed” Linux build on a fresh vmdk file in VirtualBox, and then manually install Xplico into it.

I’m cool with that, I needed a fully working Xplico build, and maybe it would be a good exercise before going into Xplico proper.  How hard could it be?

The answer?

Really, really frustrating…then stupidly simple.  Seriously simple.  Even Alvis could do it.

image

Above Image…the Xplico baby is delivered and working perfectly!

It can be done, and now I have a fully functional Xplico application running in an installed/hdd based configuration (still virtualized in a VirtualBox vmdk file) so I can save and revisit all my PCAP uploads.  Sweet Success!

So that post is coming up next…maybe even later today.  I now need to reproduce/test it on my work XP system…just to be 100% certain the process works.

In the meantime, this humble Linux padawan would deeply value any feedback from the Linux/VirtualBox Jedi Masters on why out of the blue the fsck started complaining about the time since last boot right after setting the system clock (certainly not 249 days!) on these vmdk images…and any solutions for fixing this issue. Now that I can roll my own I’m not really going back, however other users/testers might be curious and run into the same thing. 

From the Google work I was able to do, there may be an issue with the way the VirtualBox BIOS is reporting the actual time/date (or that it can’t get it from the hardware system) to pass on correctly to the virtual system.  Am I the only person running into this issue with the Xplico VirtualBox images?  Surely not as it replicated on different XP hardware systems as well as (finally) my Windows 7 system as well…and despite many installs/uninstalls/reinstalls/fresh-system installs, I have since been unable to get one running again.

I believe that by default, fsck is set to run automatically after x/days or y/boots.  However, I’m curious why that now always appears, even after a fresh reimport of either Xplico VB appliance.

Cheers!

Claus V.

1 comment:

Anonymous said...

Hello,

about the fsck problem, we have uploaded today a new version after reading your post (sorry for the inconveniences!). You can download it at Sourceforge. If you have any trouble, you can contact the Xplico's development team at forum.xplico.org

Thanks for your analysis.
Carlos.