Results 1 to 3 of 3

Thread: Etterfilter Question

  1. #1
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Exclamation Etterfilter Question

    I don't ask for help often, so here goes...

    I've been testing out 'non-standard' usage of Ettercap with an application idea I have, but have run into a brick wall with something regarding Etterfilters:

    How does one specify a _range_ or IP addresses in an Etterfilter for ip.src?


    As per the documentation:

    "An ip address MUST be enclosed within two single quotes (eg. ’192.168.0.7’)."

    • My filter works fine with a single IP
    • It doesn't compile when a range is specified in single quotes (such as '1.1.1.0-255' or '1.1.1.0-1.1.1.255')
    • The filter does compile when using double quotes (such as "1.1.1.0-5" and "1.1.1.0-1.1.1.255"), but the filter doesn't actually hit on the IP ranges specified.


    Very basic testing code for the filter:

    Code:
    if (ip.dst == '2.2.2.2' && ip.src == "1.1.1.0-255") {
       msg("Test Succeeded \n");
    }
    The only other idea I have would be to use 256 || operators for the range I'm actually trying to filter, such as

    Code:
    (ip.dst == '2.2.2.2' && ip.src == '1.1.1.1' || ip.src == '1.1.1.2' || ip.src == '1.1.1.3' ...etc
    So there either has to be a correct syntax, or it just doesn't support ranges for the ip.src parameter... can anyone chime on on this?

    Thanks
    dd if=/dev/swc666 of=/dev/wyze

  2. #2
    Good friend of the forums
    Join Date
    Feb 2009
    Posts
    356

    Default

    my best guess here would be, that arp does not support ranges. But that is just a guess on Ettercap's functionality. Arp for sure can't understand that.

  3. #3
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Quote Originally Posted by xorred View Post
    my best guess here would be, that arp does not support ranges. But that is just a guess on Ettercap's functionality. Arp for sure can't understand that.
    For the ARP / TARGET specification, it does support that syntax -- the filter works with 256 || operators as well (I went as far as to include a dozen to test).

    Still doesn't answer the question of the syntax though; I need to further test the < and > when I get a chance, as I did see some preliminary successes with

    Code:
    if (ip.src > '1.1.1.0' || ip.src < 1.1.1.'255') {
        // dosomething
    }
    ...but this is most likely not going to work effectively.
    dd if=/dev/swc666 of=/dev/wyze

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •