I'm using an Ettercap filter to detect a query response coming back from a particular service on a remote machine. When I see a response from the service, I'm searching through the data in the packet to see if an offset is a specific value, and if so I'm changing the value at another offset.
Trouble is, when I try this on a new virtual machine I built my Ettercap filter's no longer getting any data in the DATA.data variable available to it.
if(ip.proto == TCP && tcp.src == 17867) {
msg("Response seen!\n");
if(DATA.data + 2 == "\0x01") {
msg("Flag detected!\n");
DATA.data + 5 = 0x09;
}
}
The filter's getting applied to the traffic because "Response seen!" messages get printed out by Ettercap. However, "Flag detected!" messages do not. I think DATA.data is indeed empty because if I change my second "if" statement to check for DATA.data == ""
then the "Flag detected!" message gets printed.
Any ideas why this may be happening?!
Also, if this is the wrong site to be asking questions like this, please let me know. I wasn't sure if it fit better here or somewhere like superuser or serverfault.
By the way, this is a cross-post from StackOverflow... I should have posted on this forum instead I think. :)
I had the same problem. (ettercap receives null (0x00) characters or 0x20 (DECODED ONE)). i tried to compile ettercap from source and everything works fine. try to log what ever ettercap receives using LOG filter and then see what is received. if it's bunch off nulls or zeros, your problem is probably like mine! it seems to be some problem in etterfilter or ettercap itself.
change your ettercap version and it will work (mine did). my problem was in backtrack 5 r1 and it's ettercap. i updated ettercap and everything works fine.