Hello everyone.

I faced with problem of implementing regular expression filters in ettercap. My research start-point begin from IronGeeks post "Fun with Ettercap Filters". This is quite nice fun filter. It's work fine for my lab...

Next step was improving it to replace not just:
Code:
<img src="image.png">
<IMG SRC="image.png">
but also:
Code:
<img id="32" class="cl1" src="image.png">
To solve this I decide use:
to find patterns: regex(where, regex)
to replace patterns: pcre_regex(where, pcre_regex ... )

Short (and unique) description for this functions I get from: man etterfilter and "Irongeek etterfilter man page"

I'm not good in regular expressions, but after some reading I implement this regular expression:
search pattern: /i/g(<img.*[^>]src=['|"])(.*[^'"])(['|"])
replace pattern:$1NEWImage.png$3


Using web-regular-expression-tester (for example regexter.com) I can successfully convert html.

After all this stuff i decide rewrite filter described in article above, and now it looks like:
Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
	        msg(".");
   }
}

if (ip.proto == TCP && tcp.src == 80) { 

	if (pcre_regex(DATA.data, "/i/g(<img.*[^>]src=['|\"])(.*[^'\"])(['|\"])", "$1tmp_image.png$3")){			msg("\n---> Perl regexp <---\n");		
	} 
	
}
But filter do not work...
As I can see in log - ettercap say that this works fine
Code:
replace("Accept-Encoding", "Accept-Rubbish!");
but
Code:
pcre_regex(DATA.data, "/i/g(<img.*[^>]src=['|\"])(.*[^'\"])(['|\"])", "$1tmp_image.png$3")
just not found

I will be very appreciated if you can help me!



P.S.

And last, but not least.
My environmnet is:
hp notebook: windows
virtual box: last BT4 prefinal

I'm using ettercamNG 0.7.3 and can successfully poison arp cash of my notebook