Man Linux: Main Page and Category List


       ettercap  NG-0.7.3  -  A multipurpose sniffer/content filter for man in
       the middle attacks

***** IMPORTANT NOTE ******

       Since ettercap NG (formerly 0.7.0), all the options have been  changed.
       Even  the  target specification has been changed. Please read carefully
       this man page.


       ettercap [OPTIONS] [TARGET1] [TARGET2]

       TARGET is in the form MAC/IPs/PORTs
       where IPs and PORTs can be ranges (e.g. /,40,50/20,22,25)


       Ettercap  was  born  as  a sniffer for switched LAN (and obviously even
       "hubbed" ones), but during the development process it has  gained  more
       and  more features that have changed it to a powerful and flexible tool
       for  man-in-the-middle  attacks.   It  supports  active   and   passive
       dissection  of  many  protocols  (even ciphered ones) and includes many
       features for network and host analysis (such as OS fingerprint).

       It has two main sniffing options:

       UNIFIED, this method sniffs all the packets that pass on the cable. You
       can choose to put or not the interface in promisc mode (-p option). The
       packet not directed to the host  running  ettercap  will  be  forwarded
       automatically  using  layer  3  routing.  So  you can use a mitm attack
       launched from a different tool and let ettercap modify the packets  and
       forward them for you.
       The  kernel  ip_forwarding is always disabled by ettercap. This is done
       to prevent to forward a packet twice (one by ettercap and  one  by  the
       kernel).   This  is  an invasive behaviour on gateways. So we recommend
       you to use ettercap on the gateways  ONLY  with  the  UNOFFENSIVE  MODE
       ENABLED.   Since  ettercap  listens  only  on  one  network  interface,
       launching it on the gateway in offensive mode will not allow packets to
       be rerouted back from the second interface.

       BRIDGED,  it  uses  two network interfaces and forward the traffic from
       one to the other while performing sniffing and content filtering.  This
       sniffing  method is totally stealthy since there is no way to find that
       someone is in the middle on the cable.  You can look at this method  as
       a  mitm  attack  at  layer  1.  You  will be in the middle of the cable
       between two entities. Don’t use it on gateways  or  it  will  transform
       your  gateway  into  a  bridge. HINT: you can use the content filtering
       engine to drop packets that should not pass.  This  way  ettercap  will
       work as an inline IPS ;)

       You  can also perform man in the middle attacks while using the unified
       sniffing. You can choose the mitm attack  that  you  prefer.  The  mitm
       attack  module  is independent from the sniffing and filtering process,
       so you can launch several attacks at the same time or use your own tool
       for the attack. The crucial point is that the packets have to arrive to
       ettercap with the correct mac address and a different ip address  (only
       these packets will be forwarded).

       The most relevant ettercap features are:

       SSH1  support  :  you  can sniff User and Pass, and even the data of an
       SSH1 connection. ettercap is the first software capable to sniff an SSH
       connection in FULL-DUPLEX

       SSL  support  : you can sniff SSL secured data... a fake certificate is
       presented to the client and the session is decrypted.

       Characters injection in an established  connection  :  you  can  inject
       characters  to  the  server  (emulating  commands)  or  to  the  client
       (emulating replies) maintaining the connection alive !!

       Packet filtering/dropping: You can set up a filter script that searches
       for  a  particular  string  (even  hex)  in  the TCP or UDP payload and
       replace it with yours or drop the entire packet. The  filtering  engine
       can  match  any  field of the network protocols and modify whatever you
       want (see etterfilter(8)).

       Remote traffic sniffing through tunnels and  route  mangling:  You  can
       play with linux cooked interfaces or use the integrated plugin to sniff
       tunneled or route-mangled remote connections and perform  mitm  attacks
       on them.

       Plug-ins  support : You can create your own plugin using the ettercap’s

       Password collector for : TELNET, FTP,  POP,  RLOGIN,  SSH1,  ICQ,  SMB,
       LDAP, NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols  coming

       Passive OS fingerprint: you scan passively the lan (without sending any
       packet) and gather detailed info about the hosts in the LAN:  Operating
       System,  running  services,  open  ports,  IP,  mac address and network
       adapter vendor.

       Kill a connection: from the connections  list  you  can  kill  all  the
       connections you want


       There is no concept of SOURCE nor DEST. The two targets are intended to
       filter traffic coming from one to the other and vice-versa  (since  the
       connection is bidirectional).

       TARGET  is  in  the form MAC/IPs/PORTs. If you want you can omit any of
       its parts and this will represent an ANY in that part.
       "//80" means ANY mac address, ANY ip and ONLY port 80
       "/" means ANY mac address, ONLY ip and ANY port

       MAC must be unique and in the form 00:11:22:33:44:55

       IPs is a range of IP in dotted notation. You can specify range with the
       - (hyphen) and single ip with , (comma). You can also use ; (semicolon)
       to indicate different ip addresses.
       ";" expands  into  ip,  2,  3,  4,  5  and

       PORTs  is  a  range of PORTS. You can specify range with the - (hyphen)
       and single port with , (comma).
       "20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110

       you can reverse the matching of the TARGET by adding the -R  option  to
       the  command  line. So if you want to sniff ALL the traffic BUT the one
       coming or going to you can specify "./ettercap -R /"

       TARGETs are also responsible of the initial scan of the  lan.  You  can
       use  them  to  restrict  the  scan to only a subset of the hosts in the
       netmask. The result of the merging between  the  two  targets  will  be
       scanned.  remember  that not specifying a target means "no target", but
       specifying "//" means "all the hosts in the subnet.


       ettercap needs root privileges to open the Link  Layer  sockets.  After
       the  initialization  phase,  the  root privs are not needed anymore, so
       ettercap drops them to UID = 65535  (nobody).  Since  ettercap  has  to
       write  (create)  log files, it must be executed in a directory with the
       right permissions (e.g.  /tmp/).  If  you  want  to  drop  privs  to  a
       different  uid, you can export the environment variable EC_UID with the
       value of  the  uid  you  want  to  drop  the  privs  to  (e.g.   export
       EC_UID=500) or set the correct parameter in the etter.conf file.


       While performing the SSL mitm attack, ettercap substitutes the real ssl
       certificate with its own. The fake certificate is created  on  the  fly
       and  all  the fields are filled according to the real cert presented by
       the server. Only the issuer is modified and signed with the private key
       contained  in  the ’etter.sll.crt’ file. If you want to use a different
       private key you have to regenerate this file. To  regenerate  the  cert
       file use the following commands:

       openssl genrsa -out etter.ssl.crt 1024
       openssl req -new -key etter.ssl.crt -out tmp.csr
       openssl  x509  -req  -days 1825 -in tmp.csr -signkey etter.ssl.crt -out
       cat >> etter.ssl.crt
       rm -f tmp.csr NOTE: SSL mitm is  not  available  (for  now)  in
       bridged mode.


       Options  that  make  sense together can generally be combined. ettercap
       will warn the user about unsupported option combinations.


       ettercap NG has a  new  unified  sniffing  method.  This  implies  that
       ip_forwarding  in  the  kernel is always disabled and the forwarding is
       done by ettercap. Every packet with destination mac  address  equal  to
       the host’s mac address and destination ip address different for the one
       bound to the iface will be forwarded  by  ettercap.  Before  forwarding
       them, ettercap can content filter, sniff, log or drop them. It does not
       matter how these packets are hijacked, ettercap will process them.  You
       can even use external programs to hijack packet.
       You  have full control of what ettercap should receive. You can use the
       internal mitm attacks, set the interface in promisc mode,  use  plugins
       or use every method you want.

       IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable
       the ip_forwarding after you have killed ettercap. Since ettercap  drops
       its privileges, it cannot restore the ip_forwarding for you.

       -M, --mitm <METHOD:ARGS>
              MITM attack
              This option will activate the man in the middle attack. The mimt
              attack is totally independent from the sniffing. The aim of  the
              attack  is  to hijack packets and redirect them to ettercap. The
              sniffing engine will forward them if necessary.
              You can choose the mitm attack that you prefer and also  combine
              some of them to perform different attacks at the same time.
              If  a  mitm method requires some parameters you can specify them
              after the colon.  (e.g.  -M dhcp:ip_pool,netmask,etc )

              The following mitm attacks are available:

              arp ([remote],[oneway])
                     This method implements the ARP poisoning mitm attack. ARP
                     requests/replies  are sent to the victims to poison their
                     ARP cache. Once the cache has been poisoned  the  victims
                     will send all packets to the attacker which, in turn, can
                     modify and forward them to the real destination.

                     In silent mode (-z  option)  only  the  first  target  is
                     selected, if you want to poison multiple target in silent
                     mode use the -j option to load a list from a file.

                     You can select empty targets and they will be expanded as
                     ’ANY’  (all  the  hosts  in  the LAN). The target list is
                     joined with the hosts list (created by the arp scan)  and
                     the  result  is  used  to  determine  the  victims of the

                     The parameter  "remote"  is  optional  and  you  have  to
                     specify  it  if  you  want  to  sniff  remote  ip address
                     poisoning a gateway. Indeed if you specify a  victim  and
                     the   gw   in  the  TARGETS,  ettercap  will  sniff  only
                     connection between them, but to enable ettercap to  sniff
                     connections  that  pass thru the gw, you have to use this

                     The parameter "oneway" will force ettercap to poison only
                     from  TARGET1  to  TARGET2.  Useful if you want to poison
                     only the client and not the router (where an arp  watcher
                     can be in place).


                     the targets are: / /
                     and   the  host  list  is:

                     the associations between the victims will be:
                     1 and 16, 1 and 18, 3 and 16, 3 and 18

                     if the targets overlap each other, the  association  with
                     identical ip address will be skipped.

                     NOTE:  if  you manage to poison a client, you have to set
                     correct routing table in the kernel specifying the GW. If
                     your  routing  table  is  incorrect, the poisoned clients
                     will not be able to navigate the Internet.

              icmp (MAC/IP)
                     This attack  implements  ICMP  redirection.  It  sends  a
                     spoofed  icmp  redirect  message  to the hosts in the lan
                     pretending  to  be  a  better  route  for  internet.  All
                     connections   to  internet  will  be  redirected  to  the
                     attacker which, in turn, will forward them  to  the  real
                     gateway. The resulting attack is a HALF-DUPLEX mitm. Only
                     the client is redirected,  since  the  gateway  will  not
                     accept   redirect   messages  for  a  directly  connected
                     network. BE SURE TO  NOT  USE  FILTERS  THAT  MODIFY  THE
                     PAYLOAD  LENGTH.  you can use a filter to modify packets,
                     but the length must be the same since the  tcp  sequences
                     cannot be updated in both ways.
                     You  have  to pass as argument the MAC and the IP address
                     of the real gateway for the lan.
                     Obviously you have to be able to sniff all  the  traffic.
                     If  you  are on a switch you have to use a different mitm
                     attack such as arp poisoning.

                     NOTE: to restrict the  redirection  to  a  given  target,
                     specify it as a TARGET


                     -M icmp:00:11:22:33:44:55/

                     will  redirect  all  the  connections that pass thru that

              dhcp (ip_pool/netmask/dns)
                     This attack implements DHCP spoofing. It pretends to be a
                     DHCP  server and tries to win the race condition with the
                     real one to force the client  to  accept  the  attacker’s
                     reply.  This  way  ettercap  is able to manipulate the GW
                     parameter and hijack all the outgoing  traffic  generated
                     by the clients.
                     The resulting attack is a HALF-DUPLEX mitm. So be sure to
                     use appropriate filters (see above in the ICMP  section).

                     You  have to pass the ip pool to be used, the netmask and
                     the ip of the dns server.  Since ettercap  tries  to  win
                     the  race  with the real server, it DOES NOT CHECK if the
                     ip is already assigned. You have to specify an ip pool of
                     FREE  addresses to be used. The ip pool has the same form
                     of the target specification.

                     If the client sends a  dhcp  request  (suggesting  an  ip
                     address) ettercap will ack on that ip and modify only the
                     gw option. If the client makes a dhcp discovery, ettercap
                     will use the first unused ip address of the list you have
                     specified on command line. Every discovery consumes an ip
                     address.  When  the list is over, ettercap stops offering
                     new ip addresses and will reply only to dhcp requests.
                     If you don’t want to  offer  any  ip  address,  but  only
                     change  the  router  information of dhcp request/ack, you
                     can specify an empty ip_pool.

                     BIG WARNING: if you specify a list of ip that are in use,
                     you  will  mess your network! In general, use this attack
                     carefully. It can really mess things up!  When  you  stop
                     the  attack, all the victims will be still convinced that
                     ettercap is the gateway until the lease expires...


                     -M dhcp:,35,50-60/
                     reply to DHCP offer and request.

                     -M dhcp:/
                     reply only to DHCP request.

              port ([remote],[tree])
                     This attack implements Port Stealing. This  technique  is
                     useful  to  sniff  in  a  switched  environment  when ARP
                     poisoning is not  effective  (for  example  where  static
                     mapped ARPs are used).

                     It  floods  the  LAN (based on port_steal_delay option in
                     etter.conf) with ARP packets. If you  don’t  specify  the
                     "tree"  option,  the  destination  MAC  address  of  each
                     "stealing" packet is  the  same  as  the  attacker’s  one
                     (other  NICs  won’t  see  these  packets), the source MAC
                     address will be one of the MACs in the  host  list.  This
                     process  "steals"  the switch port of each victim host in
                     the host list.  Using low  delays,  packets  destined  to
                     "stolen"  MAC addresses will be received by the attacker,
                     winning the race condition  with  the  real  port  owner.
                     When the attacker receives packets for "stolen" hosts, it
                     stops the flooding process and performs  an  ARP  request
                     for the real destination of the packet.  When it receives
                     the ARP reply it’s sure that the victim has "taken  back"
                     his  port,  so  ettercap  can  re-send  the packet to the
                     destination as is.  Now  we  can  re-start  the  flooding
                     process waiting for new packets.

                     If you use the "tree" option, the destination MAC address
                     of each stealing packet will be a  bogus  one,  so  these
                     packets  will  be  propagated to other switches (not only
                     the directly connected one). This way you will be able to
                     steal  ports  on other switches in the tree (if any), but
                     you will generate a huge amount of traffic (according  to
                     port_steal_delay).   The  "remote"  option  has  the same
                     meaning as in "arp" mitm method.

                     When you stop the  attack,  ettercap  will  send  an  ARP
                     request  to  each  stolen  host  giving back their switch
                     You can perform either HALF or FULL DUPLEX mitm according
                     to target selection.

                     NOTE: Use this mitm method only on ethernet switches. Use
                     it carefully,  it  could  produce  performances  loss  or
                     general havoc.

                     NOTE:  You  can NOT use this method in only-mitm mode (-o
                     flag), because it hooks  the  sniffing  engine,  and  you
                     can’t use interactive data injection.

                     NOTE: It could be dangerous to use it in conjunction with
                     other mitm methods.

                     NOTE: This  mitm  method  doesn’t  work  on  Solaris  and
                     Windows  because  of the lipcap and libnet design and the
                     lack of certain ioctl().  (We will feature this method on
                     these OSes if someone will request it...)


                     The targets are: / /
                     You will intercept and visualize traffic between
                     and, but you will receive all the  traffic  for
            and too.

                     The target is: /
                     You  will  intercept  and  visualize  all the traffic for

       -o, --only-mitm
              This options disables the sniffing thread and enables  only  the
              mitm attack.  Useful if you want to use ettercap to perform mitm
              attacks and another sniffer (such  as  ethereal)  to  sniff  the
              traffic.  Keep  in  mind  that  the packets are not forwarded by
              ettercap. The kernel will be  responsible  for  the  forwarding.
              Remember to activate the "ip forwarding" feature in your kernel.

       -f, --pcapfilter <FILTER>
              Set a capturing filter in the pcap library. The  format  is  the
              same  as  tcpdump(1). Remember that this kind of filter will not
              sniff packets out of the wire, so if you want to perform a  mitm
              attack, ettercap will not be able to forward hijacked packets.
              These  filters  are  useful  to decrease the network load impact
              into ettercap decoding module.

       -B, --bridge <IFACE>
              BRIDGED sniffing
              You need two network interfaces. ettercap will forward form  one
              to  the  other  all the traffic it sees. It is useful for man in
              the middle at the physical layer. It is totally  stealthy  since
              it  is  passive  and  there  is  no  way  for an user to see the
              You can content filter all the traffic as you were a transparent
              proxy for the "cable".


       -r, --read <FILE>
              OFF LINE sniffing
              With  this  option  enabled,  ettercap will sniff packets from a
              pcap compatible file instead of capturing from the wire.
              This is useful if  you  have  a  file  dumped  from  tcpdump  or
              ethereal  and you want to make an analysis (search for passwords
              or passive fingerprint) on it.
              Obviously you cannot use "active"  sniffing  (arp  poisoning  or
              bridging) while sniffing from a file.

       -w, --write <FILE>
              WRITE packet to a pcap file
              This is useful if you have to use "active" sniffing (arp poison)
              on a switched LAN but you  want  to  analyze  the  packets  with
              tcpdump or ethereal. You can use this option to dump the packets
              to a file and then load it into your favourite application.

              NOTE: dump file collect ALL the packets disregarding the TARGET.
              This  is  done  because  you  may want to log even protocols not
              supported by ettercap, so you can analyze them with other tools.

              TIP:  you  can use the -w option in conjunction with the -r one.
              This way you will be able to filter the payload  of  the  dumped
              packets  or  decrypt WEP-encrypted WiFi traffic and dump them to
              another file.


       -T, --text
              The text only interface, only printf ;)
              It is quite interactive, press ’h’ in every moment to  get  help
              on what you can do.

       -q, --quiet
              Quiet  mode. It can be used only in conjunction with the console
              interface. It does not print packet content. It is useful if you
              want to convert pcap file to ettercap log files.


              ettercap -Tq -L dumpfile -r pcapfile

       -s, --script <COMMANDS>
              With this option you can feed ettercap with command as they were
              typed on the keyboard by the user. This way you can use ettercap
              within  your  favourite  scripts. There is a special command you
              can issue thru this command: s(x). this command will sleep for x


              ettercap -T -s ’lq’  will print the list of the hosts and exit
              ettercap  -T  -s  ’s(300)olqq’   will  collect  the  infos for 5
              minutes, print the list of the local profiles and exit

       -C, --curses
              Ncurses  based  GUI.   See   ettercap_curses(8)   for   a   full

       -G, --gtk
              The nice GTK2 interface (thanks Daten...).

       -D, --daemonize
              Daemonize  ettercap.  This  option will detach ettercap from the
              current controlling terminal and set it as  a  daemon.  You  can
              combine  this  feature  with  the  "log"  option  to log all the
              traffic in the background. If the daemon fails for  any  reason,
              it will create the file "./ettercap_daemonized.log" in which the
              error caught by ettercap will be reported. Furthermore,  if  you
              want  to  have  a  complete debug of the daemon process, you are
              encouraged to recompile ettercap in debug mode.


       -i, --iface <IFACE>
              Use this <IFACE> instead of the default one. The  interface  can
              be unconfigured (requires libnet >= 1.1.2), but in this case you
              cannot use MITM attacks and you should set the unoffensive flag.

       -I, --iflist
              This  option  will  print  the  list  of  all  available network
              interfaces that can be  used  within  ettercap.  The  option  is
              particulary   usefull  under  windows  where  the  name  of  the
              interface is not so obvious as under *nix.

       -n, --netmask <NETMASK>
              Use this <NETMASK>  instead  of  the  one  associated  with  the
              current iface. This option is useful if you have the NIC with an
              associated netmask of class B and you want to scan (with the arp
              scan) only a class C.

       -R, --reversed
              Reverse   the   matching  in  the  TARGET  selection.  It  means
              not(TARGET). All but the selected TARGET.

       -t, --proto <PROTO>
              Sniff only PROTO packets (default is TCP + UDP).
              This is useful if you want to  select  a  port  via  the  TARGET
              specification  but you want to differentiate between tcp or udp.
              PROTO can be "tcp", "udp" or "all" for both.

       -z, --silent
              Do not perform the initial ARP scan of the LAN.

              NOTE: you will not have the hosts list, so  you  can’t  use  the
              multipoison  feature.   you can only select two hosts for an ARP
              poisoning attack, specifying them through the TARGETs

       -p, --nopromisc
              Usually, ettercap will put the  interface  in  promisc  mode  to
              sniff  all  the  traffic  on the wire. If you want to sniff only
              your connections, use this flag to NOT enable the promisc  mode.

       -u, --unoffensive
              Every  time  ettercap  starts,  it disables ip forwarding in the
              kernel and begins to forward packets itself. This option prevent
              to  do  that,  so the responsibility of ip forwarding is left to
              the kernel.
              This options is useful if you  want  to  run  multiple  ettercap
              instances.  You  will  have one instance (the one without the -u
              option) forwarding the packets,  and  all  the  other  instances
              doing their work without forwarding them. Otherwise you will get
              packet duplicates.
              It also disables the internal creation of the sessions for  each
              connection.  It increases performances, but you will not be able
              to modify packets on the fly.
              If you want to use a mitm attack you  have  to  use  a  separate
              You  have  to  use  this option if the interface is unconfigured
              (without an ip address.)
              This is also useful if you want to run ettercap on the  gateway.
              It  will  not  disable  the  forwarding  and  the  gateway  will
              correctly route the packets.

       -j, --load-hosts <FILENAME>
              It can be used to load a hosts list from a file created  by  the
              -k option. (see below)

       -k, --save-hosts <FILENAME>
              Saves  the hosts list to a file. Useful when you have many hosts
              and you don’t want to do an ARP storm at startup  any  time  you
              use  ettercap.  Simply  use  this options and dump the list to a
              file, then to load the information from it use the -j <filename>

       -P, --plugin <PLUGIN>
              Run the selected PLUGIN. Many plugins need target specification,
              use TARGET as always.
              In console mode (-C option), standalone plugins are executed and
              then  the  application exits. Hook plugins are activated and the
              normal sniffing is performed.
              To have a list of the  available  external  plugins  use  "list"
              (without quotes) as plugin name (e.g. ./ettercap -P list).

              NOTE: you can also activate plugins directly from the interfaces
              (always press "h" to get the inline help)

              More detailed info about plugins and about how to write your own
              are found in the man page ettercap_plugin(8)

       -F, --filter <FILE>
              Load  the  filter  from  the  file  <FILE>.  The  filter must be
              compiled with  etterfilter(8).  The  utility  will  compile  the
              filter  script  and  produce an ettercap-compliant binary filter
              file. Read the etterfilter(8) man page for the list of functions
              you can use inside a filter script.
              NOTE:   these   filters   are  different  from  those  set  with
              --pcapfilter. An ettercap filter is a  content  filter  and  can
              modify the payload of a packet before forwarding it. Pcap filter
              are used to capture only certain packets.
              NOTE: you can use filters on pcapfile to modify them and save to
              another file, but in this case you have to pay attention on what
              you are doing, since ettercap will  not  recalculate  checksums,
              nor  split packets exceeding the mtu (snaplen) nor anything like

       -W, --wep-key <KEY>
              You can specify a WEP key to  decrypt  WiFi  packets.  Only  the
              packets  decrypted  successfully  will be passed to the decoders
              stack, the others will be skipped with a message.
              The parameter has the following syntax: N:T:KEY. Where N is  the
              bit length of the wep key (64, 128 or 256), T is the type of the
              string (’s’ for string and ’p’ for passphrase).  KEY  can  be  a
              string or an escaped hex sequences.

              --wep-key 128:p:secret
              --wep-key 128:s:ettercapwep0
              --wep-key ’64:s:\x01\x02\x03\x04\x05’

       -a, --config <CONFIG>
              Loads  an  alternative  config  file  instead  of the default in
              /etc/etter.conf.  This is useful if you have many  preconfigured
              files for different situations.


       -e, --regex <REGEX>
              Handle only packets that match the regex.
              This  option  is  useful  in  conjunction  with -L. It logs only
              packets that match the posix regex REGEX.
              It impacts even the visualization of the sniffed packets. If  it
              is set only packets matching the regex will be displayed.

       -V, --visual <FORMAT>
              Use  this option to set the visualization method for the packets
              to be displayed.

              FORMAT may be one of the following:

              hex    Print the packets in hex format.


                     the string  "HTTP/1.1 304 Not Modified"  becomes:

                     0000: 4854 5450 2f31 2e31 2033 3034 204e  6f74   HTTP/1.1
                     304 Not
                     0010: 204d 6f64 6966 6965 64                    Modified

              ascii  Print   only   "printable"  characters,  the  others  are
                     displayed as dots ’.’

              text   Print  only  the  "printable"  characters  and  skip  the

              ebcdic Convert an EBCDIC text to ASCII.

              html   Strip  all  the  html  tags from the text. A tag is every
                     string between < and >.


                     <title>This  is  the  title</title>,  but  the  following
                     <string> will not be displayed.

                     This  is  the  title,  but  the  following  will  not  be

              utf8   Print the packets in  UTF-8  format.  The  encoding  used
                     while  performing  the  conversion  is  declared  in  the
                     etter.conf(5) file.

       -d, --dns
              Resolve ip addresses into hostnames.

              NOTE: this  may  seriously  slow  down  ettercap  while  logging
              passive information.  Every time a new host is found, a query to
              the dns  is  performed.  Ettercap  keeps  a  cache  for  already
              resolved  host  to  increase the speed, but new hosts need a new
              query and the dns may take up to 2 or 3 seconds to  respond  for
              an unknown host.

              HINT:  ettercap  collects  the  dns  replies  it  sniffs  in the
              resolution table, so even if you  specify  to  not  resolve  the
              hostnames,  some  of them will be resolved because the reply was
              previously sniffed. think about it as a passive  dns  resolution
              for free... ;)

       -E, --ext-headers
              Print  extended  headers  for  every displayed packet. (e.g. mac

       -Q, --superquiet
              Super quiet mode. Do not print users and passwords as  they  are
              collected.  Only store them in the profiles. It can be useful to
              run ettercap in text only mode but you don’t want to be  flooded
              with  dissectors messages. Useful when using plugins because the
              sniffing process  is  always  active,  it  will  print  all  the
              collected  infos,  with  this  option  you  can  suppress  these
              NOTE: this options automatically sets the -q option.


              ettercap -TzQP finger /


       -L, --log <LOGFILE>
              Log all the packets to binary files. These files can  be  parsed
              by etterlog(8) to extract human readable data. With this option,
              all packets sniffed by ettercap will be  logged,  together  with
              all  the  passive info (host info + user & pass) it can collect.
              Given a LOGFILE, ettercap will create LOGFILE.ecp (for  packets)
              and LOGFILE.eci (for the infos).

              NOTE:  if you specify this option on command line you don’t have
              to take care of privileges since the log file is opened  in  the
              startup  phase  (with  high  privs).  But  if you enable the log
              option while ettercap is already started, you have to  be  in  a
              directory where uid = 65535 or uid = EC_UID can write.

              NOTE:  the logfiles can be compressed with the deflate algorithm
              using the -c option.

       -l, --log-info <LOGFILE>
              Very similar to -L but it logs only passive information +  users
              and passwords for each host. The file will be named LOGFILE.eci

       -m, --log-msg <LOGFILE>
              It  stores  in  <LOGFILE>  all  the  user  messages  printed  by
              ettercap. This can be useful when  you  are  using  ettercap  in
              daemon  mode  or  if  you  want  to track down all the messages.
              Indeed, some dissectors print messages but their information  is
              not  stored  anywhere,  so this is the only way to keep track of

       -c, --compress
              Compress the logfile with the gzip algorithm while it is dumped.
              etterlog(8)   is   capable   of  handling  both  compressed  and
              uncompressed log files.

       -o, --only-local
              Stores profiles information belonging only to the LAN hosts.

              NOTE:  this  option  is  effective  only  against  the  profiles
              collected  in memory.  While logging to a file ALL the hosts are
              logged. If you want to split them, use the  related  etterlog(8)

       -O, --only-remote
              Stores profiles information belonging only to remote hosts.


       -U, --update
              Connects  to the ettercap website ( and retrieve
              the latest databases used by ettercap.
              If you want only to check if an update is available, prepend the
              -z option.  The order does matter: ettercap -zU

              SECURITY  NOTE:  The  updates  are not signed so an attacker may
              poison your DNS  server  and  force  the  updateNG.php  to  feed
              ettercap  with  fake  databases.   This  can harm to your system
              since it can overwrite any file containing the string "Revision:

       -v, --version
              Print the version and exit.

       -h, --help
              prints  the  help  screen  with a short summary of the available


       Here are some examples of using ettercap.

       ettercap -Tp

              Use the console interface  and  do  not  put  the  interface  in
              promisc mode. You will see only your traffic.

       ettercap -Tzq

              Use the console interface, do not ARP scan the net and be quiet.
              The  packet  content  will  not  be  displayed,  but  user   and
              passwords, as well as other messages, will be displayed.

       ettercap -T -j /tmp/victims -M arp / /

              Will  load  the  hosts list from /tmp/victims and perform an ARP
              poisoning attack against the two target. The list will be joined
              with  the  target  and  the  resulting  list  is  used  for  ARP

       ettercap -T -M arp // //

              Perform the ARP poisoning attack against all the  hosts  in  the
              LAN. BE CAREFUL !!

       ettercap -T -M arp:remote / /

              Perform  the  ARP  poisoning against the gateway and the host in
              the lan between 2 and 10. The ’remote’ option is  needed  to  be
              able  to  sniff  the  remote  traffic the hosts make through the

       ettercap -Tzq //110
              Sniff only the pop3 protocol from every hosts.

       ettercap -Tzq /,22,23

              Sniff telnet, ftp and ssh connections to

       ettercap -P list

              Prints the list of all available plugins


       Alberto Ornaghi (ALoR) <>
       Marco Valleri (NaGA) <>


       etter.conf(5)   ettercap_curses(8)   ettercap_plugins(8)    etterlog(8)



       cvs login
       cvs    co


       Our software never has bugs.
       It just develops random features.   ;)


       - ettercap doesn’t handle fragmented packets... only the first  segment
       will  be  displayed  by  the  sniffer.  However  all  the fragments are
       correctly forwarded.

       +   please    send    bug-report,    patches    or    suggestions    to
       <>                  or                  visit   and  post  it  in   the   BUGS

       + to report a bug, follow the instructions in the README.BUGS file


       "Even  if  blessed  with  a  feeble  intelligence,  they  are cruel and
       smart..."  this is the description of Ettercap, a monster  of  the  RPG
       Advanced Dungeons & Dragon.

       The  name  "ettercap"  was  chosen  because  it  has  an assonance with
       "ethercap" which means "ethernet capture" (what ettercap actually does)
       and  also because such monsters have a powerful poison... and you know,
       arp poisoning... ;)

The Lord Of The (Token)Ring

       (the fellowship of the packet)

       "One Ring to link them all, One Ring to ping them,
        one Ring to bring them all and in the darkness sniff them."

Last words

       "Programming today is a race between  software  engineers  striving  to
       build  bigger  and better idiot-proof programs, and the Universe trying
       to produce bigger and better idiots. So far, the Universe is  winning."
       - Rich Cook