ettercap filtering doesn't work

Question

I cant use ettercap filters. I'm writing even the most simple filter I can think of:

if (ip.proto == TCP){
    msg("Ran Filter\n");
}

But even that doesn't work. When I compile it using etterfilter and run:

sudo ettercap -F /tmp/filter.ef -T -M arp -i wlan1 /192.168.1.6/ // the msg is not printed. With the packet visualization I do see TCP packets, but the filter seem to just not working even though ettercap says "Content filters loaded from /tmp/filter.ef".

To solve this I've tried enabling ip_forward, and I've tried deleting the "#" sign in /etc/etter.conf so it will use iptables for it's redir_command (lines 168-169)

I've also tried putting it on askubuntu.com

https://askubuntu.com/questions/251866/ettercap-filtering-doesnt-work

Do you know how to make filtering work?

I'm using ettercap NG-0.7.4.2 on Ubuntu 12.10

Answer 1

Finally found the answer. The problem is because of a bug in ettercap! From the man page:

You can also load a script  without enabling it by appending :0 to the filename

And from the code:

/* enable a loaded filter script? */
uint8_t f_enabled = 0;
/* is there a :0 or :1 appended to the filename? */
if ( (opt_end-optarg >=2) && *(opt_end-2) == ':' ) {
        *(opt_end-2) = '\0';
        f_enabled = !( *(opt_end-1) == '0' );
}

As you can see from the code, and as opposed to what the man page says, you must append ":1" to the filter's file name in order for it to be loaded. Otherwise, the filter is not used.

So why it inly happned to me? That is beacuse I'm using version 0.7.4.2, which is the version downloaded when I apt-get install ettercap on my Ubuntu. That is opposed to the ettercap website, stating that "The latest Ettercap release is: 0.7.4.1"

A patch that solves the bug was sent to the ettercap developers.