I'm using an Ettercap filter to detect a query response coming back from a particular service on a remote machine. When I see a response from the service, I'm searching through the data in the packet to see if an offset is a specific value, and if so I'm changing the value at another offset.

Trouble is, when I try this on a new virtual machine I built my Ettercap filter's no longer getting any data in the DATA.data variable available to it.

if(ip.proto == TCP && tcp.src == 17867) {
  msg("Response seen!\n");

  if(DATA.data + 2 == "\0x01") {
    msg("Flag detected!\n");

    DATA.data + 5 = 0x09;
  }
}

The filter's getting applied to the traffic because "Response seen!" messages get printed out by Ettercap. However, "Flag detected!" messages do not. I think DATA.data is indeed empty because if I change my second "if" statement to check for DATA.data == "" then the "Flag detected!" message gets printed.

Any ideas why this may be happening?!

Also, if this is the wrong site to be asking questions like this, please let me know. I wasn't sure if it fit better here or somewhere like superuser or serverfault.

By the way, this is a cross-post from StackOverflow... I should have posted on this forum instead I think. :)