etterlog NG-0.7.3 - Log analyzer for ettercap log files
etterlog [OPTIONS] FILE
Etterlog is the log analyzer for logfiles created by ettercap. It can
handle both compressed (created with -Lc) or uncompressed logfiles.
With this tool you can manipulate binary files as you like and you can
print data in different ways all the times you want (in contrast with
the previous logging system which was used to dump in a single static
You will be able to dump traffic from only one connection of your
choice, from only one or more hosts, print data in hex, ascii, binary
TIP: All unuseful messages are printed to stderr, so you can save the
output from etterlog with the following command:
etterlog [options] logfile > outfile
Thus you can dump for example a binary file from an ftp
connection if you print the data in binary mode, without headers
and selecting only the ftp server as the source of the
Analyze a log file and display some interesting statistics.
Parse the log file and print a table of unique connections (port
to port). This option can be used only on LOG_PACKET logfiles.
On LOG_INFO logfiles it is useless.
TIP: you can search for a particular host by using the following
etterlog -c logfile.ecp | grep 10.0.0.1
-f, --filter <TARGET>
Print only packets coming from or going to TARGET. The TARGET
specification is the same as in ettercap.
TARGET is in the form MAC/IPs/PORTs. Omitting one or more of its
parts will be equivalent to set them to ANY.
If the log type is LOG_INFO the target is used to display hosts
matching the mac, ip and having the specified port(s) open. For
example the target //80 will display only information about
hosts with a running web server.
Reverse the matching in the TARGET selection. It means
not(TARGET). All but the selected TARGET.
-t, --proto <PROTO>
Sniff only PROTO packets (default is TCP + UDP). This option is
only useful in "simple" mode. If you start ettercap in
interactive mode both TCP and UDP are sniffed.
PROTO can be "tcp", "udp" or "all" for both.
-F, --filcon <CONNECTION>
Print packets belonging only to this CONNECTION.
CONNECTION is in the form PROTO:SOURCE:DEST. SOURCE and DEST are
in the form IP:PORT.
etterlog -F TCP:10.0.0.23:3318:18.104.22.168:80
Display only packets that are sent by the source of the selected
CONNECTION. This option makes sense only in conjunction with
the -F option.
TIP: if you want to save a file transferred in an HTTP or FTP
connection, you can use the following command:
etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp
Same as --only-source but it filters on the destination host.
Do not print the header of each packet. This option is useful if
you want to save a file in binary format (-B option). Without
the headers you can redirect the output to a file and you will
get the original stream.
NOTE: the time stamp in the header is in the form: Thu Mar 27
23:03:31 2003 , the value in the square brackets is
expressed in microseconds
In the headers show also the mac addresses corresponding to the
If used in conjunction with -F it displays the source and dest
of the connection using different colors. If used with a
LOG_INFO file it prints LAN hosts in green, REMOTE hosts in blue
and GATEWAYS in red.
Used displaying an INFO file, it displays information only about
Used displaying an INFO file, it displays information only about
-e, --regex <REGEX>
Display only packets matching the regex <REGEX>.
If this option is used agains a LOG_PACKET logfile, the regex is
executed on the payload of the packet. If the type is LOG_INFO,
the regex is executed on all the fields of the host profile (OS,
banners, service and ethernet adapter).
NOTE: the regex is compiled with the REG_ICASE flag (case
-u, --user <USER>
Display information about this user. The search is performed
over all the user/pass couples collected across all hosts.
Print only the collected account information for each host. This
prevents the huge profile output. It can be used in conjunction
with the -u option to filter the users. An asterisk ’*’ used in
front of an account represents a failed login attempt.
Show the client ip address when displaying the collected users
and passwords. It may be useful when ACLs are in place.
-I, --client <IP>
Show passwords only coming from a specific <IP>. This is useful
to view all the usernames and passwords of a client.
Use this option to concatenate two (or more) files into one
single file. This is useful if you have collected ettercap log
files from multiple sources and want to have an unified report.
The output file must be specified with the -o option and the
input files are listed as normal arguments.
etterlog -C -o outfile input1 input2 input3
-o, --outfile <FILE>
specifies the output file for a concatenation.
Print data as they are, in binary form. Useful to dump binary
data to a file (as described above).
Print the packets in hex format.
the string "HTTP/1.1 304 Not Modified" becomes:
0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1 304 Not
0010: 204d 6f64 6966 6965 64 Modified
Print only "printable" characters, the others are displayed as
Print only the "printable" characters and skip the others.
Convert an EBCDIC text to ASCII.
Strip all html tags from the text. A tag is every string between
’<’ and ’>’.
<title>This is the title</title>, but the following <string>
will not be displayed.
This is the title, but the following will not be displayed.
-U, --utf8 <encoding>
Print the packets in UTF-8 format. The <encoding> parameter
specifies the encoding to be used while performing the
conversion. Use the ‘iconv --list‘ command to obtain a list of
all supported encodings.
Print always the void string. i.e. print only header information
and no packet content will be printed.
Print the host information in xml form, so you can parse it with
your favourite program.
The DTD associated with the xml output is in share/etterlog.dtd
Print the version and exit.
Print the help screen with a short summary of the available
Here are some examples of using etterlog.
etterlog -k -l dump.eci
Displays information about local hosts in different colors.
etterlog -X dump.ecp
Prints packets in HEX mode with full headers.
etterlog -c dump.ecp
Displays the list of connections logged in the file.
etterlog -Akn -F TCP:10.0.0.1:13423:22.214.171.124:6666 dump.ecp
Displays the IRC traffic made by 10.0.0.1 in ASCII mode, without
headers information and in colored mode.
etterlog -H -t tcp -f //80 dump.ecp
Dumps all HTTP traffic and strips html tags.
etterlog -Z -r -f /10.0.0.2/22 dump.ecp
Displays only the headers of all connections except ssh on host
etterlog -A -e ’user’ -f //110 dump.ecp
Displays only POP packets containing the ’user’ regexp (case
etterlog -u root dump.eci
Displays information about all the accounts of the user ’root’.
etterlog -e Apache dump.eci
Displays information about all the hosts running ’Apache’.
etterlog -e Linux dump.eci
Displays information about all the hosts with the ’Linux’
etterlog -t tcp -f //110 dump.eci
Displays information about all the hosts with the tcp port 110
etterlog -t udp dump.eci
Displays information about all the hosts with at least one UDP
etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp >
Dumps in binary form the data sent by 10.0.0.1 over the data
port of FTP. Since the headers are omitted, you will get the
file as it was.
Alberto Ornaghi (ALoR) <firstname.lastname@example.org>
Marco Valleri (NaGA) <email@example.com>
ettercap(8) etterfilter(8) etter.conf(5) ettercap_curses(8)