Ettercap Filters for Packet Alteration
Results 1 to 8 of 8

Thread: Ettercap Filters for Packet Alteration

Hybrid View

  1. #1
    Junior Member
    Join Date
    Jan 2010
    Posts
    4

    Ettercap Filters for Packet Alteration

    Hi,

    first of all, I want to say hello, since this is my first post.

    I have a question about ETTERCAP.

    I got a network which integrity must be tested. Some of the tests consist of alterating or dropping some packets.
    Any information of the packet could be altered (addresses, checksum, payloads,...)

    I tried with ETTERCAP filters, and at Layer 3 and 4 worked really well, since I could modify all the parameters I wanted.

    Now I got a problem at Layer 2. I tried creating a filter that uses the MAC address as deciding parameter. The filter could be compiled without problems, but when I applied it, it did not filter as desired (even though the conditions were fulfilled).

    Do you know if Ettercap supports Layer 2 filters??

    best regards,
    lupastro

  2. #2
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    Hi lupastro,

    Welcome to AO.

    Would you be opposed to posting the code from your filter? It might be easier for the members to see what is causing the problem.

    Best of luck!

    Westin
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  3. #3
    Junior Member
    Join Date
    Jan 2010
    Posts
    4
    Quote Originally Posted by westin View Post
    Hi lupastro,

    Welcome to AO.

    Would you be opposed to posting the code from your filter? It might be easier for the members to see what is causing the problem.

    Best of luck!

    Westin
    Hi Westin,

    thanks for your answer. My mistake. You are right, here's the example:

    if (ip.src == '192.168.1.1') {
    ip.src = 192.1.168.1;
    }

    This worked. Then i tried:

    if (mac.dst == "11:22:33:44:55:66") {
    mac.dst = "FF:FF:FF:FF:FF:FF";
    }
    if (mac.src == "11:22:33:44:55:66") {
    mac.src = "FF:FF:FF:FF:FF:FF";
    }

    The filter compiled, but did not filter anything, even if the MAC addresses matched (I used a Packet Generator using the given addresses).
    The sniffer on another device detected without problems the 11:22:.... frames, and that's how I realized that ettercap had forwarded the frames, but anything was manipulated in the frames...
    I know it's a nonsense filter, but was done only for testing purposes.

    Since ettercap compiled the filters, I supposed it would accept the Layer 2 filtering...that's the reason why I asked it.

    thanks again!
    lupastro.

  4. #4
    Banned
    Join Date
    Nov 2002
    Posts
    677
    Quote Originally Posted by lupastro View Post
    Do you know if Ettercap supports Layer 2 filters??

    best regards,
    lupastro
    Why don't you stop fvcking with us? You already know the answer you advanced piece of foreign labor.

  5. #5
    Junior Member
    Join Date
    Jan 2010
    Posts
    4
    Quote Originally Posted by Linen0ise View Post
    Why don't you stop fvcking with us? You already know the answer you advanced piece of foreign labor.
    First of all, you ignorant bastard. I am not foreign labor, since I do not live nor work in the US. Actually, I think I would never do it, if everyone was like you. If you knew where I am from, you'd surely would not be even able to locate it on a map.

    Fortunately I got american friends and I know that not all american are as bastards, ignorant and a**holes as you are.

    have fun insulting people
    Last edited by lupastro; January 21st, 2010 at 10:50 AM.

  6. #6
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,188
    I am not sure how picky ettercap is, but the only thing I see right off hand, is that you used single quotes above, and double quotes below. Probably woudn't matter, but you never know.

    Sorry about the insulting post. It looks like that particular user is banned now.
    Last edited by westin; January 21st, 2010 at 11:59 PM.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  7. #7
    Junior Member
    Join Date
    Jan 2010
    Posts
    4
    Quote Originally Posted by westin View Post
    I am not sure how picky ettercap is, but the only thing I see right off hand, is that you used single quotes above, and double quotes below. Probably woudn't matter, but you never know.

    Sorry about the insulting post. It looks like that particular user is banned now.

    Hi Westin,

    no problem about the other post...people like that can be found everywhere....whatever..

    You are right about the quotes. The problem is that single quotes are not accepted, since they are only meant to be used with IP addresses. I already tried it, but the filter does not compile.

    The only way it compiles is with double quotes...

    Anyway, thanks for your help :-)

  8. #8
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Lupastro,

    Please accept my apologies............it appears that the former member in question had not taken his medication?

    Westin is a regular guy, and can be implicitly trusted in my opinion...........we have many such people who contribute.........and only a very few who try to spoil things

    I hope that you will continue to visit and hopefully contribute?

    Welcome to AO........ and again the apologies for the appalling manners of some visitors.......

    Cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

Similar Threads

  1. cmd.exe boxes flashing around screen on startup
    By sphanlon in forum Spyware / Adware
    Replies: 11
    Last Post: April 1st, 2013, 09:05 PM
  2. DNS Spoofing with Ettercap Video
    By Irongeek in forum The Security Tutorials Forum
    Replies: 4
    Last Post: June 11th, 2008, 10:26 AM
  3. Ettercap hates running on my gateway.
    By ZombieFx in forum Newbie Security Questions
    Replies: 8
    Last Post: January 29th, 2008, 07:16 AM
  4. Ettercap Filters Error "filter engine: Cannot open file ./logfile.log"
    By Irongeek in forum Newbie Security Questions
    Replies: 7
    Last Post: March 7th, 2006, 04:30 PM
  5. Fun with Ettercap Filters
    By Irongeek in forum The Security Tutorials Forum
    Replies: 2
    Last Post: June 16th, 2005, 08:09 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •