Provided by: ettercap-common_0.7.3-2.1ubuntu2_i386 bug


       etterfilter  NG-0.7.3  - Filter compiler for ettercap content filtering


       etterfilter [OPTIONS] FILE


       The etterfilter utility is used to compile  source  filter  files  into
       binary  filter  files that can be interpreted by the JIT interpreter in
       the ettercap(8) filter engine. You have to compile your filter  scripts
       in  order  to  use  them  in  ettercap. All syntax/parse errors will be
       checked at compile time, so you will  be  sure  to  produce  a  correct
       binary filter for ettercap.


       -o, --output <FILE>
              you  can  specify  the  output file for a source filter file. By
              default the output is filter.ef.

       -t, --test <FILE>
              you can  analyze  a  compiled  filter  file  with  this  option.
              etterfilter  will  print  in  a  human  readable  form  all  the
              instructions contained in it. It is a sort of "disassembler" for
              binary filter files.

       -d, --debug
              prints  some  debug messages during the compilation. Use it more
              than once to increase the debug level ( etterfilter -ddd ... ).

       -w, --suppress-warnings
              Don't exit on warnings.  With  this  option  the  compiler  will
              compile the script even if it contains warnings.


       -v, --version
              Print the version and exit.

       -h, --help
              prints  the  help  screen  with a short summary of the available

              A  script  is  a  compound  of  instructions.  It  is   executed
              sequentially and you can make branches with the 'if' statements.
              'if' and 'if/else' statements are the only supported.  No  loops
              are  implemented.  The  syntax is almost like C code except that
              you have to put 'if' blocks into graph parentheses '{' '}', even
              if they contain only one instruction.

              NOTE:  you have to put a space between the 'if' and the '('. You
              must not put the space between the function name and the '('.

              if (conditions) { }

              The conditions for an 'if' statement can be either functions  or
              comparisons.  Two or more conditions can be linked together with
              logical operators like OR '||' and AND '&&'.

              if (tcp.src == 21 && search(, "ettercap")) {

              Pay attention  to  the  operator  precedence.   You  cannot  use
              parentheses  to  group conditions, so be careful with the order.
              An AND at the beginning of a conditions block will  exclude  all
              the  other  tests  if  it  is evaluated as false. The parsing is
              left-to-right, when an operator is found: if it is  an  AND  and
              the  previous condition is false, all the statement is evaluated
              as false; if it is an  OR  the  parsing  goes  on  even  if  the
              condition is false.

              if (ip.proto == UDP || ip.proto == TCP && tcp.src == 80) {

              if (ip.proto == TCP && tcp.src == 80 || ip.proto == UDP) {

              the  former  condition  will  match all udp or http traffic. The
              latter is wrong, because if the packet is  not  tcp,  the  whole
              condition block will be evaluated as false.  If you want to make
              complex conditions, the best way is to split  them  into  nested
              'if' blocks.

              Every instruction in a block must end with a semicolon ';'.

              Comparisons  are  implemented  with the '==' operator and can be
              used to compare numbers, strings or ip addresses. An ip  address
              MUST  be  enclosed within two single quotes (eg. '').
              You can also use the 'less than' ('<'),  'greater  than'  ('>'),
              'less  or equal' ('<=') and 'greater or equal' ('>=') operators.
              The lvalue of a comparison must be an offset (see later)

              if ( + 20 == "ettercap" && ip.ttl > 16) {

              Assignments are implemented with the '=' operator and the lvalue
              can  be  an  offset  (see later). The rvalue can be a string, an
              integer or a hexadecimal value.

              ip.ttl = 0xff;
     + 7 = "ettercap NG";

              You can also use the 'inc' and 'dec' operations  on  the  packet
              fields.  The operators used are '+=' and '-='. The rvalue can be
              an integer or a hexadecimal value.

              ip.ttl += 5;

              An offset is identified by a virtual pointer. In short words, an
              offset is a pointer to the packet buffer. The virtual pointer is
              a tuple <L, O, S>, where L is the iso/osi level, O is the offset
              in that level and S is the size of the virtual pointer.  You can
              make algebraic operations on a virtual pointer and the result is
              still  an  offset.  Specifying  'vp  +  n'  will result in a new
              virtual pointer <L, O+n, S>.  And this is  perfectly  legal,  we
              have changed the internal offset of that level.

              Virtual  pointers  are  in  the  form 'name.field.subfield'. For
              example 'ip.ttl' is the virtual pointer for  the  Time  To  Live
              field  in  the  IP  header of a packet. It will be translated as
              <L=3, O=9, S=1>. Indeed it is the 9th byte of level  3  and  its
              size is 1 byte. 'ip.ttl + 1' is the same as 'ip.proto' since the
              10th byte of the IP header is the protocol encapsulated  in  the
              IP packet.

              The  list  of  all  supported  virtual  pointers  is in the file
              etterfilter.tbl. You can add your own virtual pointers by adding
              a  new  table  or  modifying  the  existing  ones.  Refer to the
              comments at  the  beginning  of  the  file  for  the  syntax  of
              etterfilter.tbl file.


       search(where, what)
              this  function searches the string 'what' in the buffer 'where'.
              The buffer can be either or  The  former
              is  the  payload  at  layer  DATA  (ontop  TCP  or UDP) as it is
              transmitted  on  the   wire,   the   latter   is   the   payload
              decoded/decrypted by dissectors.
              So,  if you want to search in an SSH connection, it is better to
              use '' since 'data' will be encrypted.
              The string 'what' can be binary. You have to escape it.

              search(, "\x41\x42\x43")

       regex(where, regex)
              this function will return true if the 'regex'  has  matched  the
              buffer  'where'.   The  considerations  about '' and
              '' mentioned for the function 'search' are the same for
              the regex function.

              NOTE: regex can be used only against a string buffer.

              regex(, ".*login.*")

       pcre_regex(where, pcre_regex ... )
              this   function   will   evaluate   a  perl  compatible  regular
              expression. You can match against both DATA and DECODED, but  if
              your  expression  modifies the buffer, it makes sense to operate
              only on DATA. The function accepts 2 or 3  parameters  depending
              on  the  operation you want. The two parameter form is used only
              to match a pattern. The three parameter form means that you want
              to  make  a substitution. In both cases, the second parameter is
              the search string.
              You can use $n in the replacement string. These placeholders are
              referred  to  the  groups  created  in  the search string. (e.g.
              pcre_regex(,    "^var1=([:digit:]*)&var2=([:digit:]*)",
              "var1=$2&var2=$1") will swap the value of var1 and var2).
              NOTE:  The  pcre  support  is  optional  in ettercap and will be
              enabled only if you have the libpcre  installed.   The  compiler
              will  warn you if you try to compile a filter that contains pcre
              expressions but you don't have libpcre. Use  the  -w  option  to
              suppress the warning.

              pcre_regex(, ".*foo$")
              pcre_regex(, "([^ ]*) bar ([^ ]*)", "foo $1 $2")

       replace(what, with)
              this function replaces the string 'what' with the string 'with'.
              They can be binary string and must be escaped.  The  replacement
              is always performed in since is the only payload which
              gets  forwarded.  The  ''  buffer   is   used   only
              internally and never reaches the wire.

              replace("ethercap", "ettercap")

              this  function  injects the content of the file 'what' after the
              packet being processed. It always injects in You  can
              use  it  to  replace the entire packet with a fake one using the
              drop() function right before the inject() command.  In that case
              the filtering engine will drop the current packet and inject the
              fake one.


       log(what, where)
              this function dumps in the file 'where' the  buffer  'what'.  No
              information  is  stored  about  the  packet, only the payload is
              dumped. So you will see the stream in the file. If you  want  to
              log  packets  in  a  more  enhanced  mode,  you  need to use the
              ettercap -L option and analyze it with etterlog(8).
              The file 'where' must  be  writable  to  the  user  EC_UID  (see

              log(, "/tmp/interesting.log")

              this  function  displays  a  message  to  the  user  in the User
              Messages window. It is useful to let the  user  know  whether  a
              particular filter has been successful or not.

              msg("Packet filtered successfully")

       drop() this  function marks the packet "to be dropped". The packet will
              not be forwarded to the real destination.


       kill() this function kills the connection that owns the matched packet.
              If  it  is  a TCP connection, a RST is sent to both sides of the
              connection. If it is an UDP connection, an ICMP PORT UNREACHABLE
              is sent to the source of the packet.


              this  function executes a shell command. You have to provide the
              full path to the  command  since  it  is  executed  without  any
              environment.  There  is  no  way to determine if the command was
              successful or not. Furthermore, it  is  executed  asynchronously
              since it is forked by the main process.

              exec("/bin/cat /tmp/foo >> /tmp/bar")

       exit() this  function  causes  the  filter engine to stop executing the
              code. It is useful to stop the execution of the script  on  some
              circumstance checked by an 'if' statement.



       Here are some examples of using etterfilter.

       etterfilter filter.ecf -o filter.ef

              Compiles the source filter.ecf into a binary filter.ef


       Alberto Ornaghi (ALoR) <>
       Marco Valleri (NaGA) <>


       ettercap(8)      etterlog(8)      etter.conf(5)      ettercap_curses(8)