The find_tcp_conn Plug-in
To
establish a TCP connection with a
remote host, the source host sends a TCP packet with the
SYN
flag set to the remote host. If the
remote host is listening on a particular port, it responds with a TCP
packet with the SYN and
ACK
flags set. The source host then sends
a TCP packet with the ACK bit set to formally
establish the TCP connection. This sequence is known as the
three-way TCP
handshake
. Therefore, to detect new TCP connections
with other hosts, our plug-in has to analyze the network traffic for
TCP packets that have the SYN flag set. The
find_tcp_conn plug-in described in the following
paragraphs analyzes TCP packets for the SYN flag,
and if one is found, it alerts the Ettercap user that a host on the
network is attempting to establish a new TCP connection with another
host.
The find_tcp_conn plug-in alerts the Ettercap user
whenever a TCP packet with the SYN flag set is
captured. Therefore, the plug-in alerts the Ettercap user even if the
server host does not respond to the connection attempt. This plug-in
can be useful for noticing when a SYN port-scan is being performed on a
network.
Warning
The find_tcp_conn plug-in will not detect new TCP
connections when the host running Ettercap is on a network switch
because network switches attempt to segregate network traffic.
Therefore, the find_tcp_conn plug-in will detect SYN packets from other hosts only when the host running Ettercap is on a network hub, or when Ettercap is instructed to perform ...
Get Network Security Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
