Man Linux: Main Page and Category List


       ettercap NG-0.7.3 - Man page for the Ncurses GUI.


       The curses GUI is quite simple and intuitive.
       It  is  menu-driven.  Every  flag  or  function  can be modified/called
       through the upper menu. All user messages are  printed  in  the  bottom
       window.  If you want to see the old messages, you can scroll the window
       buffer by pressing the UP, DOWN, PPAGE, NPAGE keys.  The middle part is
       used to display information or dialogs for the user.

       The  menus can be opened by pressing the relative hotkey. For the menus
       the hotkey is represented by the uppercase initial letter of the  title
       (e.g.  ’S’  for Sniffing, ’T’ for Targets). The functions within a menu
       can be called by pressing the hotkey depicted near the function name on
       the  right.  Hotkeys  prefixed  with ’C-’ are to be used in conjunction
       with the CTRL key (e.g. ’C-f’ means CTRL+f).

       You can switch the focus between the objects on the screen by  pressing
       the  TAB  key  or  by clicking on it with the mouse (if you are running
       ettercap within an xterm). Mouse events are supported only through  the
       xterm.  You  can use the mouse to select objects, open a menu, choose a
       function, scroll the elevators for the scrolling windows, etc etc.

       When you open multiple windows in the middle part, they  will  overlap.
       Use the TAB key to switch between them. Use CTRL+Q to close the focused
       You can also use CTRL+Q to close the input dialog if you want to cancel
       the requested input. (i.e. you have selected the wrong function and you
       want to go back).

       To have a quick help on the shortcuts you can use against a  particular
       window press the SPACE key. A help window will be displayed with a list
       of shortcuts that can be used.  If  the  window  does  not  appear,  no
       shortcuts are available.


       To use the ncurses GUI you have to:

       - compile ettercap with ncurses support (obviously)
       - run it with the -C flag

       Passing  the  -C flag is sufficient, but if you want you can pass other
       flags that will be automatically set for the ncurses GUI. You  will  be
       able to override them using the menu to change the options.


       As  soon  as  ettercap  is  launched  with the Ncurses GUI, you will be
       prompted with multiple choices. The first screen lets you select if you
       want  to open a pcap file or dump the sniffed traffic to a file, if you
       want unified sniffing or bridged one, permits you to set a pcap file on
       the captured traffic and enables you to log all the sniffed data.

       Once  you  have  selected  a  sniffing  method  (from  file, unified or
       bridged) this screen will not be reachable anymore. The only way is  to
       restart ettercap.

       Let’s analyze each menu in the start screen:


                     Open  a pcap file and analyze it. All the functionalities
                     available for live sniffing are in place except for those
                     sending  or  forwarding  packets  (mitm  attacks  and  so

              Dump to file...
                     All the traffic sniffed  by  the  live  capture  will  be
                     dumped  to  that file. The filters, not the targets, have
                     effects on this file, as all the packets received by pcap
                     will be dumped. The only way to not dump a certain packet
                     is to set a proper pcap filter (see below).

                     Exits from ettercap and returns to the command prompt.


              Unified sniffing...
                     Choosing this function you will be prompted to select the
                     network  interface  to be used for sniffing. The first up
                     and running interface is suggested in the input box.  For
                     an  explanation  of  what  unified  sniffing is, refer to
                     TIP: if you use the ’u’ hotkey, this step will be skipped
                     and the default interface is automatically selected.

              Bridged sniffing...
                     After  selecting  the two interfaces to be used, you will
                     enter the Bridged sniffing mode. For  an  explanation  of
                     what bridged sniffing is, refer to ettercap(8).

              Set pcap filter...
                     Here  you  can  insert  a  tcpdump-like  filter  for  the
                     capturing process.
                     IMPORTANT: if you manage to use a mitm  attack,  remember
                     that  if  ettercap  does not see a packet, it will NOT be
                     forwarded. So be sure of what you are doing by setting  a
                     pcap filter.


                     This  enable/disable  the  unoffensive flag. The asterisk
                     ’*’ means "the option is enabled". Otherwise  the  option
                     is not enabled.

              Promisc mode
                     Enable/disable the promisc mode for the live capture on a
                     network interface.  This is an "asterisk-option"  as  the
                     unoffensive one.

              Set netmask
                     Use  the  specified netmask instead of the one associated
                     with the current iface. This option is useful if you have
                     the  NIC  with  an  associated netmask of class B and you
                     want to scan (with the arp scan) only a C class.


       Once you have selected an offline sniffing or a live capture, the upper
       menu is modified and you can start to do the interesting things...
       Some of the following menu are only available in live capture.


              Start sniffing
                     Starts  the  sniffing  process depending on what you have
                     selected on startup (live or from file)

              Stop sniffing
                     Stops the sniffing thread.

                     Returns to your favourite shell ;)


              Current Targets
                     Displays  a  list  of  hosts  in  each  TARGET.  You  can
                     selectively  remove  a host by selecting it and press ’d’
                     or add a new host pressing ’a’. To switch between the two
                     lists, use the ARROWS keys.

              Select TARGET(s)
                     Lets   you   select   the   TARGET(s)   as  explained  in
                     ettercap(8). The syntax is the same as  for  the  command
                     line specification.

                     You can choose to sniff only TCP, only UDP or both (ALL).

              Reverse matching
                     Reverse the matching of a packet. It is equivalent  to  a
                     NOT before the target specification.

              Wipe Targets
                     Restores both TARGETS to ANY/ANY/ANY


              Hosts list
                     Displays  the  list of hosts detected through an ARP scan
                     or converted from the passive profiles. This list is used
                     by  MITM  attacks  when the ANY target is selected, so if
                     you want to exclude a host from the attack, simply delete
                     it from the list.
                     You  can remove a host from the list by pressing ’d’, add
                     it to TARGET1 by pressing ’1’ or add  it  to  TARGET2  by
                     pressing ’2’.

              Scan for hosts
                     Perform  the  ARP  scan  of the netmask if no TARGETS are
                     selected. If TARGETS was  specified  it  only  scans  for
                     those hosts.

              Load from file...
                     Loads  the  hosts  list from a file previously saved with
                     "save to file" or hand crafted.

              Save to file...
                     Save the current hosts list to a file.


                     Displays the connection list. To see detailed information
                     about a connection press ’d’, or press ’k’ to kill it. To
                     see the traffic for a specific connection, select it  and
                     press  enter.  Once  the two-panel interface is displayed
                     you can move the focus with the arrow keys. Press ’j’  to
                     switch  between  joined and splitted visualization. Press
                     ’k’  to  kill  the  connection.  Press  ’y’   to   inject
                     interactively  and  ’Y’ to inject a file. Note that it is
                     important which panel has the focus as the injected  data
                     will be sent to that address.
                     HINT:   connections   marked  with  an  asterisk  contain
                     account(s) information.

                     Diplays the passive profile hosts list. Selecting a  host
                     will display the relative details (including account with
                     user and pass for that host).
                     You can convert the passive profile list into  the  hosts
                     list  by pressing ’c’.  To purge remote hosts, press ’l’.
                     To purge local hosts, press ’r’. You can  also  dump  the
                     current  profile  to  a  file by pressing ’d’; the dumped
                     file can be opened with etterlog(8).
                     HINT: profiles marked with an asterisk contain account(s)

                     Displays some statistics about the sniffing process.

              Resolve IP addresses
                     Enables  DNS  resolution  for all the sniffed IP address.
                     CAUTION: this will extremely slow down ettercap.  By  the
                     way  the  passive  dns  resolution  is  always active. It
                     sniffs dns replies and stores them in a cache. If  an  ip
                     address   is   present   in   that   cache,  it  will  be
                     automatically resolved. It is dns resolution for  free...

              Visualization method
                     Change  the  visualization  method  for the sniffed data.
                     Available methods: ascii, hex, ebcdic, text, html.

              Visualization regex
                     Set the visualization regular  expression.  Only  packets
                     matching  this  regex will be displayed in the connection
                     data window.

              Set the WEP key
                     Set the WEP key used to decrypt WiFi  encrypted  packets.
                     See ettercap(8) for the format of the key.


              [...]  For  each  type  of  attack,  a  menu entry is displayed.
                     Simply select the attack you want and fill the  arguments
                     when  asked.  You  can activate more than one attack at a

              Stop mitm attack(s)
                     Stops all the mitm attacks currently active.


              Load a filter...
                     Load a precompiled filter file. The file must be compiled
                     with etterfilter(8) before it can be loaded.

              Stop filtering
                     Unload the filter and stop filtering the connections.


              Log all packets and infos...
                     Given a file name, it will create two files: filename.eci
                     (for information about hosts) and filename.ecp  (for  all
                     the  interesting  packets).  This  is  the same as the -L

              Log only infos...
                     This is used only to sniff information about hosts  (same
                     as the -l option).

              Stop logging info
                     Come on... it is self explanatory.

              Log user messages...
                     Will  log all the messages appearing in the bottom window
                     (same as -m option).

              Compressed file
                     Asterisk-option to control whether  or  not  the  logfile
                     should be compressed.


              Manage the plugins
                     Opens  the  plugin  management  window.  You can select a
                     plugin and  activate  it  by  pressing  ’enter’.  Plugins
                     already  active  can  be  recognized  by  the  [1] symbol
                     instead of [0]. If you select an active plugin,  it  will
                     be deactivated.

              Load a plugin...
                     You  can  load  a  plugin file that is not in the default
                     search path. (remember that you  can  browse  directories
                     with EC_UID permissions).


       ettercap(8)      ettercap_plugins(8)     etterlog(8)     etterfilter(8)