ARP poisoning not working #914
ettercap version: 0.8.2
Using Wireshark I can sniff all packages via my Ethernet port (enxa0cec8066e9e), everything works as expected.
I get the warning:
and the error:
I really appreciate any help on why this doesn't work and what the warning means.
The second warning lets assume you're located in a dual-stack envrionment running IPv6 with IPv4 in parallel. The warning itself is just a experience from the past. So you'd set this to 0:
Since ARP acts between IP and Ethernet, poisoning an ARP cache relies on IP information given that it should poison. Since you're apparently in IPv6 also active environment, you'd consider doing similarly ND poisoning because ARP is limited to IPv4 only. And also the ip6tables commands to redirect IPv6 SSL traffic accordingly.
Thanks for you help. After doing these steps it worked.
The IPv6 part was not needed, the network only supports IPv4, so explicitly giving ettercap the IPv4 addresses was enough.
where can I lookup what these letters at the end stand for? Stuff like:
The verbose output (can be toggled by hitting ) shows the relvant TCP related information. The letters stand for the various flags like S for SYN, A for ACK and F for FIN.
Reg. dissecting the packet capture file, it's heavily depdent on the network analysis software. E.g. Wireshark shows pure Bytes In Flight segments as TCP. Only if a set of segments compose a complete TLS message, Wireshark shows these finalizing packets as a TLS packet.
However, you don't see the decrypted packets content though. Ettercap currently dumps only the raw packet arriving. This isn't yet supported by Ettercap. You can only inpect the content by detailing the connection in the connections list. For that, the use of the graphical interface is recommended.
Cloing the issue since the actual issue is fixed.