hey there.

i'm almost bald from pulling my hair, when i try to modify an https page via etterfilter. (sorry in advance for bad spelling - i'm no native speaker)

scenario: standart arp mitm attack via ettercap, the ssl dissector is working.

now im trying to write an etterfilter that modifies the ssl stream for example:

if (ip.proto == TCP) {
   if (tcp.src == 443) {
	msg("HTTPS incoming\n");
      if (search(DECODED.data, "bla")) {
	msg("string found\n");
ettercap does inform me of the tcp 443 connection, but doesn't find the string. it doesn't matter if i uses DATA.data or DECODED.data

as the string is not found, i can't replace it either (who would have guessed )

is there any way to get the filters working right with the ssl dissector? etter.filter.examples states it should be possible, when using DECODED.data.
seems it is not.

any guesses?