Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ettercap filter condition by length of data going. eq to tcp.len in wireshark. #1224

Open
0-0eth0 opened this issue May 18, 2023 · 4 comments
Open

Ettercap filter condition by length of data going. eq to tcp.len in wireshark. #1224

0-0eth0 opened this issue May 18, 2023 · 4 comments

Comments

@0-0eth0
Copy link

0-0eth0 commented May 18, 2023

Hi Team,
I want to know how i can create another condition in below filter for only do operation if tcp data length is "123"

if (ip.proto == TCP && tcp.dst == 9338) {
if (search(DATA.data, "value") ) {
replace("48.574710","49.574710");
replace("HH","FFO");
replace("jinay1","attacked");
replace("Pending","Approved");
msg("Modified!\n");
}
}
@LocutusOfBorg
Copy link
Contributor

maybe can you try tcp.len == 123?

@0-0eth0
Copy link
Author

0-0eth0 commented May 22, 2023 via email

@LocutusOfBorg
Copy link
Contributor

"A TCP segment consists of a segment header and a data section. The segment header contains 10 mandatory fields, and an optional extension field (Options, pink background in table). The data section follows the header and is the payload data carried for the application. The length of the data section is not specified in the segment header; it can be calculated by subtracting the combined length of the segment header and IP header from the total IP datagram length specified in the IP header."

@LocutusOfBorg
Copy link
Contributor

maybe you can use ip.len and then do some calculation?
Sorry I forgot that tcp header is not containing any length information

#
# IP is at layer 3
# ihl and version are 4 bit each, but we have
# to collate them in a single byte.
#
[ip][3]
   ihl_ver:1 = 0
   tos:1 = 1
   len:2 = 2
   id:2 = 4
   frags:2 = 6
   ttl:1 = 8
   proto:1 = 9
   csum:2 = 10
   src:4 = 12
   dst:4 = 16

# IPv6 is at layer 3 
# version ,traffic class and flow label are 4 bit and 8 bit and 20 bit, but we have
# to collate them in 4 bytes
#
[ipv6][3]
   ver_tc_fl:4 = 0         # Version (4 bit), Traffic Class (8 bit), Flow Label (20 bit)
   len:2 = 4               # Payload length
   nh:1 = 6                # Next header (a.k.a. proto e.g. TCP, UDP)
   hl:1 = 7                # Hop limit (a.k.a. TTL in IPv4)
   src:16 = 8
   dst:16 = 24

#
# tcp is at layer 4
#
[tcp][4]
   src:2 = 0
   dst:2 = 2
   seq:4 = 4
   ack:4 = 8
   offset:1 = 12
   flags:1 = 13
   win:2 = 14
   csum:2 = 16
   urg:2 = 18


#
# udp is at layer 4
#
[udp][4]
   src:2 = 0
   dst:2 = 2
   len:2 = 4
   csum:2 = 6

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LocutusOfBorg @0-0eth0