The FTP Password Dissector

The FTP dissector’s goal is to analyze FTP traffic on the network to obtain and display FTP usernames and passwords. The dissector, ec_ftp.c, is located in the src/dissectors directory of the Ettercap source tree. The first few lines of the code use the include directive to include required header files for writing dissectors:

#include <ec.h>
#include <ec_decode.h>
#include <ec_dissect.h>
#include <ec_session.h>

Prototypes for defined functions are declared next. We will discuss these functions in the next few paragraphs.

void ftp_init(void);

The ftp_init( ) function adds an entry into appropriate Ettercap data structures by invoking the dissect_add( ) function:

void _  _init ftp_init(void)
    dissect_add("ftp", APP_LAYER_TCP, 21, dissector_ftp);

Note that the _ _init macro is defined in ec.h as:

#define _ _init _ _attribute_  _ ((constructor))

The _ _attribute_ _((constructor)) directive causes all functions to be invoked before main( ). Therefore, the ftp_init( ) function is automatically invoked when the ettercap executable is run. The dissect_add( ) function should be called by every dissector because it is used to add an entry into dissect_list, a structure used by Ettercap to manage enabled dissectors. The function prototype for dissect_add( ) is:

void dissect_add(char *name, u_int8 level, u_int32 port, FUNC_DECODER_PTR(decoder))

Parameters accepted by dissect_add( ) are described in Table 2-2.

Table 2-2. Parameters for dissect_add( ...

Get Network Security Tools now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.