Im trying to arp spoof a local network but the /proc/sys/net/ipv4/ip_forward is reverting back to 0 when ettercap is performing subnet scan on a network hub. Even if i change it back to 1 after the subnet scan wireshark doesn't seem to get all http data from the scanned hosts. Majority of the packets that wireshark intercepts are MDNS,ARP,OCSP.
Asked
Active
Viewed 897 times
1 Answers
0
Read the doc man ...
Based on the manpage:
It has two main sniffing options:
UNIFIED, this method sniffs all the packets that pass on the cable. You can choose to put or not the interface in promisc mode (-p option). The packet not directed to the host running ettercap will be forwarded automatically using layer 3 routing. So you can use a mitm attack launched from a different tool and let ettercap modify the packets and forward them for you. The kernel ip_forwarding is always disabled by ettercap. This is done to prevent to forward a packet twice (one by ettercap and one by the kernel). This is an invasive behaviour on gateways. So we recommend you to use ettercap on the gateways ONLY with the UNOFFENSIVE MODE ENABLED. Since ettercap listens only on one network interface, launching it on the gateway in offensive mode will not allow packets to be rerouted back from the second interface.
In short, depending on the mode used, ettercap disable ip forwarding since it forwards packets by itself.
I guess you're probably using the UNIFIED mode ...
binarym
- 744
- 4
- 8