Hi,
I really don't understand the redirect_command_on directive from etter.conf.
Why do I need it in order to sniff ssl traffic?

In my scenario, there are 3 hosts: source, destination and mitm host where I sniff ssl traffic between source and destination.

I want to arp poisen in order that all the ssl traffic between source and destination gets observed my mitm host. Mitm host has only one Ethernet interface which sniffs and then forwards the traffic to the real destination.

etter.conf:
redir_command_on = "iptables -t nat -A PREROUTING -i %iface -p tcp --dport %port -j REDIRECT --to-port %rport"
redir_command_off = "iptables -t nat -D PREROUTING -i eth0 -p tcp --dport %port -j REDIRECT --to-port %rport"


I really don't understand the need for this kind of redirection and what %port and %rport are (based on my scenario).

Thank you for your help

I really don't understand the need for this kind of redirection and what %port and %rport are
You set up ARP poisoning pointing both hosts traffic to your box. Youre impersonating the host, so you also gotta mimick the services it runs (%port = service portnumber). If you didn't redirect traffic to (%rport = internal port Ettercap listens on) Ettercap it wouldn't be able to "read" it. If you don't redirect traffic after inspecting that would mean all responses between hosts would end up in the bitbucket.