From aldeid
Jump to navigation Jump to search
This page is still a draft. Thank you for your understanding.


This section/article is being written and is therefore not complete.
Thank you for your comprehension.


This will install ettercap-ng 0.7.3:

$ sudo make install ettercap ettercap-gtk


This section/article is being written and is therefore not complete.
Thank you for your comprehension.




$ ettercap [OPTIONS] [TARGET1] [TARGET2]

TARGET is in the format MAC/IPs/PORTs (see the man for further detail)


Sniffing and Attack options

-M, --mitm <METHOD:ARGS>
perform a mitm attack
-o, --only-mitm
don't sniff, only perform the mitm attack
-B, --bridge <IFACE>
use bridged sniff (needs 2 ifaces)
-p, --nopromisc
do not put the iface in promisc mode
-u, --unoffensive
do not forward packets
-r, --read <file>
read data from pcapfile <file>
-f, --pcapfilter <string>
set the pcap filter <string>
-R, --reversed
use reversed TARGET matching
-t, --proto <proto>
sniff only this proto (default is all)

User Interface Type

-T, --text
use text only GUI
-q, --quiet
do not display packet contents
-s, --script <CMD>
issue these commands to the GUI
-C, --curses
use curses GUI
-G, --gtk
use GTK+ GUI
-D, --daemon
daemonize ettercap (no GUI)
Notice that you will need to install ettercap-gtk and not only ettercap package to be able to use -G option.

Logging options

-w, --write <file>
write sniffed data to pcapfile <file>
-L, --log <logfile>
log all the traffic to this <logfile>
-l, --log-info <logfile>
log only passive infos to this <logfile>
-m, --log-msg <logfile>
log all the messages to this <logfile>
-c, --compress
use gzip compression on log files

Visualization options

-d, --dns
resolves ip addresses into hostnames
-V, --visual <format>
set the visualization format
-e, --regex <regex>
visualize only packets matching this regex
-E, --ext-headers
print extended header for every pck
-Q, --superquiet
do not display user and password

General options

-i, --iface <iface>
use this network interface
-I, --iflist
show all the network interfaces
-n, --netmask <netmask>
force this <netmask> on iface
-P, --plugin <plugin>
launch this <plugin>
-F, --filter <file>
load the filter <file> (content filter)
-z, --silent
do not perform the initial ARP scan
-j, --load-hosts <file>
load the hosts list from <file>
-k, --save-hosts <file>
save the hosts list to <file>
-W, --wep-key <wkey>
use this wep key to decrypt wifi packets
-a, --config <config>
use the alterative config file <config>

Standard options

-U, --update
updates the databases from ettercap website
-v, --version
prints the version and exit
-h, --help
this help screen


Level 1

  • File
    • open
    • save
    • exit
  • Sniff
    • Unified sniffing
    • Bridged sniffing
    • Set pcap filter
  • Options
    • Unoffensive
    • Promisc mode
    • Set netmask
  • Help
    • Contents

Level 2

  • Start
    • Start sniffing
    • Stop sniffing
    • Exit
  • Targets
    • Current targets
    • Select targets
    • Protocol
    • Reverse matching
    • Wipe targets
  • Hosts
    • Hosts list
    • Scan for hosts
    • Load from file
    • Save to file
  • View
    • Connections
    • Profiles
    • Statistics
    • Resolve IP addresses
    • Visualization method
    • Visualization regex
    • Set the WEP key
  • Mitm
    • Arp poisoning
    • Icmp redirect
    • Port stealing
    • Dhcp spoofing
    • Stop mitm attack(s)
  • Filters
    • Load a filter
    • Stop filtering
  • Logging
    • Log all packets and infos
    • Log only infos
    • Stop logging infos
    • Log user messages
    • Stop logging messages
    • Compressed file
  • Plugins
    • Manage the plugins
    • Load a plugin


Basic sniffing example

with the GUI

This example shows how to process a MITM attack on a LAN to sniff a FTP password. The attacker is running BackTrack5 and the victim is running Ubuntu 11.10.


With the command line (CLI)

The same example can be simply realized with the command line.

First create a file containing the list of hosts (one per line):

  • the router:
  • the victim:
$ cat hosts

Then start ettercap with following options:

$ sudo ettercap -T -w /tmp/ettercap.session.pcap -i en1 --load-hosts hosts
  • -T is used to use the CLI
  • -w writes the sniffed traffic in /tmp/ettercap.session.pcap
  • -i specifies the sniffing interface (en1 used here)
  • --load-hosts points to our hosts file, containing the list of hosts to ARP poison.