We've seen just how powerful Ettercap can be out-of-the-box. Where Ettercap really shines is its content filtering engine and its ability to interpret custom scripts. Ettercap makes man-in-the-middle attacks a no-brainer; however, with filters, we can turn a Kali box running Ettercap into, for instance, an IDS. Imagine the combined power of our bridged sniffing attack and custom filters designed to interpret packets and take action on them: dropping them, and even modifying them in transit.
Let's take a look at a basic example to whet our appetite. You may immediately notice the C-like syntax and the similarity to Wireshark display filters. There's a lot of conceptual overlap here; you'll find that analysis of patterns with Wireshark can yield some powerful Ettercap filters:
if (ip.proto == TCP) { if (tcp.src == 80 || tcp.dst == 80) { msg("HTTP traffic detected.\n"); } }
Translated into plain English, this says, test if the IP protocol is...