开发者

Any ideas why Ettercap filters aren't seeing packet data?

开发者 https://www.devze.com 2023-02-13 08:54 出处:网络
I\'m using an Ettercap filter to detect a query response coming back from a particular service on a remote machine. When I see a response from the service, I\'m searching through the data in the packe

I'm using an Ettercap filter to detect a query response coming back from a particular service on a remote machine. When I see a response from the service, I'm searching through the data in the packet to see if an开发者_高级运维 offset is a specific value, and if so I'm changing the value at another offset.

Trouble is, when I try this on a new virtual machine I built my Ettercap filter's no longer getting any data in the DATA.data variable available to it.

if(ip.proto == TCP && tcp.src == 17867) {
  msg("Response seen!\n");

  if(DATA.data + 2 == "\0x01") {
    msg("Flag detected!\n");

    DATA.data + 5 = 0x09;
  }
}

The filter's getting applied to the traffic because "Response seen!" messages get printed out by Ettercap. However, "Flag detected!" messages do not. I think DATA.data is indeed empty because if I change my second "if" statement to check for DATA.data == "" then the "Flag detected!" message gets printed.

Any ideas why this may be happening?!

Also, if this is the wrong site to be asking questions like this, please let me know. I wasn't sure if it fit better here or somewhere like superuser or serverfault.


It could be an encoding problem. For debugging purposes try printing out the value of DATA.data + 2 to see what it actually is and that the length matches.


I had the same problem. (ettercap receives null (0x00) characters or 0x20 (DECODED ONE)). I tried to compile ettercap from source and everything works fine. try to log what ever ettercap receives using LOG filter and then see what is received. if it's bunch off nulls or zeros, your problem is probably like mine! it seems to be some problem in etterfilter or ettercap itself.

change your ettercap version and it will work (mine did). my problem was in backtrack 5 r1 and it's ettercap. I updated ettercap and everything works fine.

0

精彩评论

暂无评论...
验证码 换一张
取 消