ettercap tcp.src not being triggered

[JodiBosa]

I needed to do some protocol conversions and thought that ettercap might be able to help however my ettercap filter does not see the source traffic ("tcp.src"). I see the packets fine in wireshark as well in my client application (without the protocol conversions). The following debug msg in the ettercap filter is never encountered:

Code:

if (tcp.src == 80)
{
        msg("tcp.src==80");
}

I suspect it may be an issue between iptables & ettercap.


I have 2 network interfaces setup as a gateway:

Code:

        ifconfig at0 up
        ifconfig at0 10.0.0.1 netmask 255.255.255.0
        ifconfig at0 mtu 1400
        route add -net 10.0.0.0 netmask 255.255.255.0 gw 10.0.0.1


        iptables --flush
        iptables --table nat --flush
        iptables --delete-chain
        iptables --table nat --delete-chain
        iptables -P FORWARD ACCEPT
        iptables -t nat -A POSTROUTING -o at0 -j MASQUERADE

and run ettercap with:

Code:

        ettercap -T -q -u -F filter.ef -L ettercap.log -i at0 //

I have uncommented the redir_command_* lines in etter.conf.

I have enabled IP forwarding with:

Code:

        echo "1" > /proc/sys/net/ipv4/ip_forward

I have also tried:

Code:

        echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter

Any ideas why ettercap filter tcp.src is not being triggered??

[opreat0r]

I never had 100% with ettercap...I am sure its all me ( fragmented packets or some higher math ) but I think yer pose to use crap like Scapy or python etc ..

some old §hit

Code:

http://rmccurdy.com/scripts/etterfilter.html
http://rmccurdy.com/scripts/etterfilter2.html

[thorin]

First, I'm confused by your use of the terminology "protocol conversions" without a ton of code or use of an external program/script ettercap does not have the ability to convert one type of traffic to another. Do you simply mean port redirection or something like that? i.e.: Taking traffic (from or to) one port and sending it (to or from) another port? So if it's sourced from 80 you want it to go to say 93, or something like that.....

I did a quick test (on a generic Ubuntu 10.04.3 box with ettercap NG-0.7.3, since that's what I had handy) based on the following (test.filter):

Code:

if (tcp.src == 80) {
     msg("80 filter");
}

Code:

user@laptop:~/Desktop$ etterfilter test.filter -o test.ef

user@laptop:~/Desktop$ sudo ettercap -T -q -F test.ef

Fired up a browser and hit google and it pop'd just fine. Obviously this isn't ARP poisoned traffic or anything it's just local but as a POC it seems your filter and msg should work....

You mentioned that you uncommented "redir_command_*" lines in etter.conf, did you fill in the neccesary values? Can you post the lines?