Results 1 to 3 of 3

Thread: ettercap tcp.src not being triggered

  1. #1
    Just burned his ISO
    Join Date
    Aug 2010

    Default ettercap tcp.src not being triggered

    I needed to do some protocol conversions and thought that ettercap might be able to help however my ettercap filter does not see the source traffic ("tcp.src"). I see the packets fine in wireshark as well in my client application (without the protocol conversions). The following debug msg in the ettercap filter is never encountered:

    if (tcp.src == 80)

    I suspect it may be an issue between iptables & ettercap.

    I have 2 network interfaces setup as a gateway:

            ifconfig at0 up
            ifconfig at0 netmask
            ifconfig at0 mtu 1400
            route add -net netmask gw
            iptables --flush
            iptables --table nat --flush
            iptables --delete-chain
            iptables --table nat --delete-chain
            iptables -P FORWARD ACCEPT
            iptables -t nat -A POSTROUTING -o at0 -j MASQUERADE

    and run ettercap with:
            ettercap -T -q -u -F filter.ef -L ettercap.log -i at0 //
    I have uncommented the redir_command_* lines in etter.conf.

    I have enabled IP forwarding with:
            echo "1" > /proc/sys/net/ipv4/ip_forward
    I have also tried:
            echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter

    Any ideas why ettercap filter tcp.src is not being triggered??

  2. #2
    Good friend of the forums
    Join Date
    Feb 2010

    Default Re: ettercap tcp.src not being triggered

    I never had 100% with ettercap...I am sure its all me ( fragmented packets or some higher math ) but I think yer pose to use crap like Scapy or python etc ..

    some old §hit


  3. #3
    My life is this forum thorin's Avatar
    Join Date
    Jan 2010

    Default Re: ettercap tcp.src not being triggered

    First, I'm confused by your use of the terminology "protocol conversions" without a ton of code or use of an external program/script ettercap does not have the ability to convert one type of traffic to another. Do you simply mean port redirection or something like that? i.e.: Taking traffic (from or to) one port and sending it (to or from) another port? So if it's sourced from 80 you want it to go to say 93, or something like that.....

    I did a quick test (on a generic Ubuntu 10.04.3 box with ettercap NG-0.7.3, since that's what I had handy) based on the following (test.filter):
    if (tcp.src == 80) {
         msg("80 filter");
    user@laptop:~/Desktop$ etterfilter test.filter -o test.ef
    user@laptop:~/Desktop$ sudo ettercap -T -q -F test.ef
    Fired up a browser and hit google and it pop'd just fine. Obviously this isn't ARP poisoned traffic or anything it's just local but as a POC it seems your filter and msg should work....

    You mentioned that you uncommented "redir_command_*" lines in etter.conf, did you fill in the neccesary values? Can you post the lines?
    I'm a compulsive post editor, you might wanna wait until my post has been online for 5-10 mins before quoting it as it will likely change.

    I know I seem harsh in some of my replies. SORRY! But if you're doing something illegal or posting something that seems to be obvious BS I'm going to call you on it.

Similar Threads

  1. ettercap
    By dutch85 in forum OLD Newbie Area
    Replies: 3
    Last Post: 11-27-2009, 05:39 PM
  2. ettercap help!!
    By chaseford in forum OLD Newbie Area
    Replies: 2
    Last Post: 07-29-2009, 06:14 PM
  3. ettercap
    By MaxHalz in forum OLD BackTrack 3 Final
    Replies: 5
    Last Post: 10-01-2008, 10:15 AM
  4. Ettercap IP?
    By musik4u66 in forum OLD Newbie Area
    Replies: 2
    Last Post: 01-07-2008, 09:15 PM
  5. Ettercap, or something like it?
    By RageLtMan in forum OLD Newbie Area
    Replies: 4
    Last Post: 01-03-2008, 08:16 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts