Tcpdump not capturing etterfilter actions

[luismartinsez]

Hi Alaxander,

Hope all well

I am having trouble capturing etterfilter actions in tcpdump. Filter is working as should and modifying values in destination, but these actions are not in tcpdump file.

Filter

if(ip.src =='192.168.0.65') { if (tcp.src == 502) { msg("Coming from Server Port 502\n"); if (DATA.data + 2 == "\x00\x00") { msg("Protocol Identifier == 0\n"); if (DATA.data + 7 == "\x02" || DATA.data + 7 == "\x82") { msg("Function Code: Read Discrete Inputs\n - Condensates Polishers down"); DATA.data + 9 = 7; } } }

Tried Wireshark as well without any luck.

I tried ping & http actions on the machine that is visible on tcpdump.

Have you come across similar issues before? or Is there a way to capture pcap file for the above filter?

Thanks

[koeppea]

Have you tried setting the value as a “\x07”? The plain 7 could have been treated as a 0x00000007 (4-byte integer).

[luismartinsez]

Thanks for your response.

There is nothing wrong either with code or etterfilter, script is working fine and updating payload. However, I can't find any etterfilter activities on pcap captured by tcpdump. I tried wireshark as well to capture network traffic, but unable to see any etterfilter activities. I can see all other network activities.

Used some simple codes from https://github.com/Ettercap/ettercap/blob/master/share/etter.filter.examples and tried, but still cannot see any etterfilter activites. Installed Ettercap on different machines (both windows and linux) and tried, but no luck.

Are you able to see etterfilter activities on tcpdump on your network when you run a simple script to update a payload value? Is there any special switch required to record etterfilter actions on tcpdump?

I use these commands:

a. sudo ettercap -T -q -i enx503eaa961cce -F scr1.ef -M ARP /192.168.0.65/ b. tcpdump -i enx503eaa961cce -w test.pcap

[koeppea]

Can you please provide an example packet capture file that matches the condition before the replacement?

[luismartinsez]

Thanks, certainly can do that:

1. values before triggering script.

2. Payload

3. Triggered the following script - sudo ettercap -T -q -i enp0s25 -F attack1.ef -M ARP /192.168.0.65/

if(ip.src =='192.168.0.65') { if (tcp.src == 502) { DATA.data + 11 = "\x00\x00"; msg("PLC 1 Holding Register 1 data replaced"); } }

if(ip.src =='192.168.0.65') { if (tcp.src == 502) { DATA.data + 13 = "\x00\x00"; msg("PLC 1 Holding Register 1 data replaced"); } }

3. Values reset to 0 in 2 & 3

4. Cannot see ettercap actions in attached pcap file

5. Please note machines are connected using a network hub (layer 1 device) so that all devices on the machines are visibile on network capture file.

feb7pcap.zip

[koeppea]

Well the selected packets have the following value at DATA.data+11: \x1e\x26. DATA.data counts from the TCP payload on. So the packet you're looking at, is not matching your filter.

[luismartinsez]

Thanks for your response.

Actually I am trying the experiment on a testbed and not making any changes to the TCP payload (pcap). As explained earlier, script is working "PERFECTLY ALRIGHT" in my scenario. I believe it's action in the network should be captured in tcpdump.

My question - will network traffic capturing utilities like tcpdump or wireshark capture ettercap actions in the network? My several attempts show these utilities are not logging any ettercap actions on the network. Can you try a simple etterfilter script at your end and capture network traffic using tcpdump please? Kindly share the pcap output with me. I want to see how it looks.

[koeppea]

Apparently I think I don't really understand exactly what you mean with "actions in the network".

On the one hand you say "... and not making any changes to the TCP payload", while on the other hand you say ".... are not logging any ettercap actions on the network".

I'm sorry but isn't this contradictory?

Either you change the TCP payload which will be visible in Wireshark OR you don't change any TCP payload which is not visible in Wireshark, as nothing is changed.

[luismartinsez]

My apologies for the confusion. Could you kindly help me to understand the following?

1. Will network traffic capturing utilities like tcpdump or wireshark capture ettercap actions on the network? My several attempts show these network capturing utilities are not logging any ettercap actions on the network.

2. Can you try a simple etterfilter script as follows at your end and capture network traffic using tcpdump please?

some operation on the payload of the packet

if ( DATA.data + 20 == 0x4142 ) { DATA.data + 20 = 0x4243; } else { DATA.data = "modified"; DATA.data + 20 = 0x4445; }

Kindly share the pcap output with me. I want to see how it looks.

[koeppea]

Hi yes and yes I’ll do. But I don’t know yet when I get the time.

[koeppea]

Following modified filter I've tested and worked:

if ( tcp.dst == 80 ) {
    if ( search(DATA.data, "GET") && DATA.data+7 == 0x4142 ) {
        DATA.data + 6 = 0x4243;
        msg("Matched! Data offset 7 modified from \"AB\" to \"BC\"");
    } 
}

The result from parallel running tcpdump:

[...]
22:36:12.716390 IP VM-Ubuntu64.fritz.box.49522 > web-server.fritz.box.http: Flags [P.], seq 1:13, ack 1, win 229, options [nop,nop,TS val 1922676556 ecr 704918609], length 12: HTTP: GET /?ABCD
22:36:12.719468 IP VM-Ubuntu64.fritz.box.49522 > web-server.fritz.box.http: Flags [P.], seq 1:13, ack 1, win 229, options [nop,nop,TS val 1922676556 ecr 704918609], length 12: HTTP: GET /?CBCD
[...]

However, there seem to be an issue with the assignment, where it seem the offset is off by 1 byte. When you run your proposed filter, it matches "AB" from "ABCD" and replaces with "BC" starting at "BC". So it replaced but w/o a visible effect.

I've to check the wrong offset issue.