Ettercap filter condition by length of data going. eq to tcp.len in wireshark.
0-0eth0 opened this issue · 4 comments
Hi Team,
I want to know how i can create another condition in below filter for only do operation if tcp data length is "123"
if (ip.proto == TCP && tcp.dst == 9338) {
if (search(DATA.data, "value") ) {
replace("48.574710","49.574710");
replace("HH","FFO");
replace("jinay1","attacked");
replace("Pending","Approved");
msg("Modified!\n");
}
}
maybe can you try tcp.len == 123?
"A TCP segment consists of a segment header and a data section. The segment header contains 10 mandatory fields, and an optional extension field (Options, pink background in table). The data section follows the header and is the payload data carried for the application. The length of the data section is not specified in the segment header; it can be calculated by subtracting the combined length of the segment header and IP header from the total IP datagram length specified in the IP header."
maybe you can use ip.len and then do some calculation?
Sorry I forgot that tcp header is not containing any length information
#
# IP is at layer 3
# ihl and version are 4 bit each, but we have
# to collate them in a single byte.
#
[ip][3]
ihl_ver:1 = 0
tos:1 = 1
len:2 = 2
id:2 = 4
frags:2 = 6
ttl:1 = 8
proto:1 = 9
csum:2 = 10
src:4 = 12
dst:4 = 16
# IPv6 is at layer 3
# version ,traffic class and flow label are 4 bit and 8 bit and 20 bit, but we have
# to collate them in 4 bytes
#
[ipv6][3]
ver_tc_fl:4 = 0 # Version (4 bit), Traffic Class (8 bit), Flow Label (20 bit)
len:2 = 4 # Payload length
nh:1 = 6 # Next header (a.k.a. proto e.g. TCP, UDP)
hl:1 = 7 # Hop limit (a.k.a. TTL in IPv4)
src:16 = 8
dst:16 = 24
#
# tcp is at layer 4
#
[tcp][4]
src:2 = 0
dst:2 = 2
seq:4 = 4
ack:4 = 8
offset:1 = 12
flags:1 = 13
win:2 = 14
csum:2 = 16
urg:2 = 18
#
# udp is at layer 4
#
[udp][4]
src:2 = 0
dst:2 = 2
len:2 = 4
csum:2 = 6