Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ETTER.CONF(5)		      File Formats Manual		 ETTER.CONF(5)

NAME
       etter.conf - Ettercap configuration file

DESCRIPTION
       etter.conf  is  the  configuration file that determines ettercap	behav-
       iour. It	is always loaded at startup and	it configures some  attributes
       used at runtime.

       The file	contains entries of the	form:

	      [section]
	      entry = value
	      ...

       Each  entry defines a variable that can be customized. Every value MUST
       be an integer. Sections are used	only to	group together some variables.

       NOTE: if	you omit a variable in the conf	file, it will  be  initialized
       with the	value 0. It is strongly	discouraged to not initialize critical
       variables such as "arp_poison_delay" or "connection_timeout".

       The following is	a list of available variables:

       [privs]

       ec_uid		   This	variable specifies the UID to which privileges
			   are	dropped	 at  startup. After the	socket at link
			   layer has been opened the privileges	are dropped to
			   a  specific	uid  different	from root for security
			   reasons. etter.conf is the only file	that  is  read
			   with	root privs. Be sure that the specified uid has
			   enough privs	to read	other files (etter.*)  You can
			   bypass  this	 variable  by  setting the environment
			   variable EC_UID.

       [mitm]

       arp_storm_delay	   The value represents	the milliseconds to  wait  be-
			   tween  two  consecutive  packets during the initial
			   ARP scan. You can increment this value to  be  less
			   aggressive  at  startup. The	randomized scan	plus a
			   high	delay can fool some types of ARP  scan	detec-
			   tors.

       arp_poison_smart	   With	this variable set, only	3 initial poisoned ARP
			   messages are	sent to	 the  victims.	This  poisoned
			   status  is  kept  up	by ettercap with responding to
			   ARP requests	from  victims  that  want  to  refresh
			   their  ARP cache. This makes	the ARP	poisoning very
			   stealthy but	may be unreliable on shared media such
			   as WiFi.

       arp_poison_warm_up  When	the poisoning process starts, the inter-packet
			   delay is low	for the	first 5	poisons	 (to  be  sure
			   the	poisoning  process has been successful). After
			   the first 5 poisons,	the delay is  incremented  (to
			   keep	 up the	poisoning). This variable controls the
			   delay for the first 5 poisons. The value is in sec-
			   onds.
			   The	same  delay  is	 used when the victims are re-
			   stored to  the  original  associations  (RE-ARPing)
			   when	ettercap is closed.

       arp_poison_delay	   This	 variable  controls  the poisoning delay after
			   the first 5 poisons.	The value is expressed in sec-
			   onds.  You  can increase this value (to try to fool
			   the IDS) up to the timeout of the ARP cache	(which
			   depends on the poisoned operating system).

       arp_poison_icmp	   Enable  the	sending	 of  a spoofed ICMP message to
			   force the targets to	make an	arp request. This will
			   create  an arp entry	in the host cache, so ettercap
			   will	be able	to win the race	condition  and	poison
			   the	target.	Useful against targets that do not ac-
			   cept	gratuitous arp if the  entry  is  not  in  the
			   cache.

       arp_poison_reply	   Use	ARP replies to poison the targets. This	is the
			   classic attack.

       arp_poison_request  Use ARP  request  to	 poison	 the  targets.	Useful
			   against targets that	cache even arp request values.

       arp_poison_equal_mac
			   Set	this  option to	0 if you want to skip the poi-
			   soning of two hosts with the	same mac address. This
			   may	happen if a NIC	has one	or more	aliases	on the
			   same	network.

       dhcp_lease_time	   This	is the lease time (in seconds) for a dhcp  as-
			   signment.  You  can	lower this value to permit the
			   victims to receive a	correct	dhcp reply  after  you
			   have	stopped	your attack. Using higher timeouts can
			   seriously mess up your network after	the attack has
			   finished.  On the other hand	some clients will pre-
			   fer a higher	lease time, so you have	to increase it
			   to win the race condition against the real server.

       port_steal_delay	   This	 is  the  delay	time (in milliseconds) between
			   stealing packets for	the "port" mitm	 method.  With
			   low delays you will be able to intercept more pack-
			   ets,	but you	will generate more traffic.  You  have
			   to  tune this value in order	to find	a good balance
			   between the	number	of  intercepted	 packets,  re-
			   transmitted	packets	 and lost packets.  This value
			   depends on full/half	duplex channels, network driv-
			   ers and adapters, network general configuration and
			   hardware.

       port_steal_send_delay
			   This	is the delay time  (in	microseconds)  between
			   packets  when the "port" mitm method	has to re-send
			   packets queues. As said  for	 port_steal_delay  you
			   have	 to  tune this option to the lowest acceptable
			   value.

       ndp_poison_warm_up  This	 option	 operates  similar  to	the   arp_poi-
			   son_warm_up	option.	  When	the  poisoning process
			   starts, this	option controls	the NDP	 poison	 delay
			   for	the  first 5 poisons (to be sure the poisoning
			   process has been successful).  After	 the  first  5
			   poisons,  the  delay	is incremented (to keep	up the
			   poisoning).	This variable controls the  delay  for
			   the first 5 poisons.	The value should be lower than
			   the ndp_poison_delay. The value is in seconds.
			   The same delay is used when	the  victims  are  re-
			   stored to the original associations
			    when ettercap is closed.

       ndp_poison_delay	   This	 option	is similar to the arp_poison_delay op-
			   tion.  It controls the delay	in seconds for sending
			   out	the  poisoned  NDP  packets to poison victim's
			   neighbor cache. This	value may be increased to hide
			   from	 IDSs.	 But increasing	the value increases as
			   well	the probability	for  failing  race  conditions
			   during neighbor discovery and to miss some packets.

       ndp_poison_send_delay
			   This	 option	controls the delay in microseconds be-
			   tween poisoned NDP packets are sent.	This value may
			   be  increased to hide from IDSs. But	increasing the
			   value increases as well the probability for failing
			   race	 conditions  during  neighbor discovery	and to
			   miss	some packets.

       ndp_poison_icmp	   Enable the sending of a spoofed ICMPv6  message  to
			   motivate the	targets	to perform neighbor discovery.
			   This	will create an	entry  in  the	host  neighbor
			   cache,  so  ettercap	 will  be able to win the race
			   condition and poison	 the  target.  Useful  against
			   targets  that do not	accept neighbor	advertisements
			   if the entry	is not in the cache.

       ndp_poison_equal_mac
			   Set this option to 0	if you want to	skip  the  NDP
			   poisoning  of  two hosts with the same mac address.
			   This	may happen if a	NIC has	one or more aliases on
			   the same network.

       icmp6_probe_delay   This	 option	 defines  the time in seconds ettercap
			   waits for active IPv6 nodes to respond to the  ICMP
			   probes.  Decreasing	this  value could lead to miss
			   replies from	active IPv6 nodes, hence miss them  in
			   the	host list. Increasing the value	usually	has no
			   impact; normally nodes can manage to	answer	during
			   the default delay.

			   NOTE:  The ndp and icmp6 options are	only available
			   if ettercap has been	built with IPv6	support

       [connections]

       connection_timeout  Every time a	new connection is discovered, ettercap
			   allocates the needed	structures. After a customiza-
			   ble timeout,	you can	free these structures to  keep
			   the memory usage low. This variable represents this
			   timeout. The	value is expressed  in	seconds.  This
			   timeout  is	applied	 even  to the session tracking
			   system (the protocol	state machine for dissectors).

       connection_idle	   The number of seconds to wait before	 a  connection
			   is marked as	IDLE.

       connection_buffer   This	 variable  controls  the  size	of  the	buffer
			   linked to each connection.  Every sniffed packet is
			   added to the	buffer and when	the buffer is full the
			   older packets are deleted to	make  room  for	 newer
			   ones.  This buffer is useful	to view	data that went
			   on the cable	before you select and view a  specific
			   connection.	The  higher this value,	the higher the
			   ettercap memory occupation.	By the way, the	buffer
			   is  dynamic,	so if you set a	buffer of 100.000 byte
			   it is not  allocated	 all  together	at  the	 first
			   packet of a connection, but it is filled as packets
			   arrive.

       connect_timeout	   The timeout in seconds  when	 using	the  connect()
			   syscall. Increase it	if you get a "Connection time-
			   out"	error. This option has nothing to do with con-
			   nections  sniffed  by ettercap. It is a timeout for
			   the connections made	by  ettercap  to  other	 hosts
			   (for	example	when fingerprinting remote host).

       [stats]

       sampling_rate	   Ettercap  keeps  some  statistics on	the processing
			   time	of the bottom half (the	sniffer) and top  half
			   (the	 protocol  decoder). These statistics are made
			   on the average  processing  time  of	 sampling_rate
			   packets. You	can decrease this value	to have	a more
			   accurate real-time picture of  processing  time  or
			   increase  it	 to have a smoother picture. The total
			   average will	not change, but	the worst  value  will
			   be heavily influenced by this value.

       [misc]

       close_on_eof	   When	 reading from a	dump file and using console or
			   daemon UI, this variable is used to determine  what
			   action  has	to  be	done  on  EOF. It is a boolean
			   value. If set to 1 ettercap will close itself (use-
			   ful	in  scripts).  Otherwise the session will con-
			   tinue waiting for user input.

       store_profiles	   Ettercap collects in	memory a profile for each host
			   it  detects.	 Users	and  passwords	are  collected
			   there. If you want to run  ettercap	in  background
			   logging  all	 the  traffic, you may want to disable
			   the collecting in memory to save system memory. Set
			   this	option to 0 (zero) to disable profiles collec-
			   tion.  A value of 1 will enable collection for  all
			   the	hosts,	2  will	collect	only local hosts and 3
			   only	remote hosts (a	host is	considered  remote  if
			   it does not belong to the netmask).

       aggressive_dissectors
			   Some	 dissectors  (such  as	SSH and	HTTPS) need to
			   modify the payload of the packets in	order to  col-
			   lect	 passwords and perform a decryption attack. If
			   you want to disable the "dangerous" dissectors  all
			   together, set this value to 0.

       skip_forwarded	   If  you  set	 this  value  to 0 you will sniff even
			   packets forwarded by	ettercap or by the kernel.  It
			   will	generate duplicate packets in conjunction with
			   the arp mitm	method (for example). It could be use-
			   ful while running ettercap in unoffensive mode on a
			   host	with more than one network interface  (waiting
			   for the multiple-interface feature...)

       checksum_warning	   If you set the value	to 0 the messages about	incor-
			   rect	checksums will not be displayed	 in  the  user
			   messages windows (nor logged	to a file with -m).
			   Note	that this option will not disable the check on
			   the packets,	but only prevent  the  message	to  be
			   displayed (see below).

       checksum_check	   This	option is used to completely disable the check
			   on the checksum of the packets  that	 ettercap  re-
			   ceives.  The	 check	on the packets is performed to
			   avoid ettercap spotting thru	 bad  checsum  packets
			   (see	 Phrack	 60.12). If you	disable	the check, you
			   will	be able	to sniff even bad checksummed  packet,
			   but you will	be spotted if someone is searching for
			   you...

       sniffing_at_startup If this option is set to 1, then ettercap will  im-
			   mediately  start  unified or	bridged	sniffing after
			   the setup phase has	been  completed.  This	option
			   helps  to  avoid traffic blocking when a MITM tech-
			   nique has  been  started  but  forgotten  to	 start
			   sniffing. Therefore this options is set to 1	by de-
			   fault.
			   If this behaviour is	not desired set	 it  to	 0  to
			   manually  control  the status of unified or bridged
			   sniffing after ettercap startet.  However, sniffing
			   can be stopped and started at any time while	etter-
			   cap runs.

       geoip_support_enable
			   This	option controls	if GeoIP information shall  be
			   processed  for IP addresses whether or not ettercap
			   has been built with GeoIP support.

       gtkui_prefer_dark_theme
			   This	option tries to	enforce	the  dark  variant  of
			   the	applied	 theme.	However	this does only have an
			   effect if the applied theme provides	a  dark	 vari-
			   ant.	 Normally the desktop environment controls the
			   theme of applications. But some lightweight desktop
			   environments	doesn't	support	a configuration	option
			   for dark themes even	when the theme provides	a dark
			   variant.  To	leave the theme	variant	setting	to the
			   desktop environment this option is set to 0 by  de-
			   fault.
			   NOTE:  This option is only relevant in GTK mode and
			   if ettercap has been	built with full	GTK3 support.

       [dissectors]

       protocol_name	   This	value represents the port on which the	proto-
			   col	dissector  has	to be bound. A value of	0 will
			   disable the dissector. The name of the variable  is
			   the	same  of  the protocol name. You can specify a
			   non standard	port for each  dissector  as  well  as
			   multiple  ports. The	syntax for multiport selection
			   is the following: port1,port2,port3,...
			   NOTE: some dissectors are conditionally compiled  .
			   This	means that depending on	the libraries found in
			   your	system some dissectors	will  be  enabled  and
			   some	 others	 will  not. By default etter.conf con-
			   tains all supported dissectors. if you got  a  "FA-
			   TAL:	 Dissector  "xxx"  does	not exists (etter.conf
			   line	yy)" error, you	have to	 comment  out  the  yy
			   line	in etter.conf.

       [curses]

       color		   You can customize the colors	of the curses GUI.
			   Simply  set	a field	to one of the following	values
			   and look at the GUI aspect :)
			   Here	is a list of values: 0 Black, 1	Red, 2	Green,
			   3 Yellow, 4 Blue, 5 Magenta,	6 Cyan,	7 White

       [strings]

       utf8_encoding	   specifies  the encoding to be used while displaying
			   the	packets	 in  UTF-8  format.   Use  the	`iconv
			   --list` command for a list of supported encodings.

       remote_browser	   This	 command  is  executed	by  the	remote_browser
			   plugin each time it catches a good URL request into
			   an  HTTP connection.	 The command should be able to
			   get 2 parameters:

			   %host  the Host: tag	in the HTTP  header.  Used  to
				  create the full request into the browser.

			   %url	  The page requested inside the	GET request.

       redir_command_on	   You must provide a valid command (or	script)	to en-
			   able	tcp redirection	at the kernel level  in	 order
			   to  be  able	 to  use  SSL  dissection. Your	script
			   should be able to get 5 parameters:

			   %iface The network interface	on which the rule must
				  be set

			   %source
				  The  source IP or network matching the pack-
				  ets to be redirected (default	is  0.0.0.0/0,
				  ::/0 resp. or	any)

			   %destination
				  The  destination  IP or network matching the
				  packets  to  be   redirected	 (default   is
				  0.0.0.0/0, ::/0 resp.	or any)

			   %port  The  source  port of the packets to be redi-
				  rected (443 for HTTPS, 993 for imaps,	etc).

			   %rport The internally bound port to which  ettercap
				  listens for connections.
       NOTE: this script is executed with an execve(), so you cannot use pipes
       or output redirection as	if you were in a shell.	We suggest you to make
       a script	if you need those commands.

       NOTE: for this to work, you must	set ec_uid to a	UID what is privileged
       to execute the redir_command or provide a setuid	program.

       redir_command_off   This	script is used to remove  the  redirect	 rules
			   applied  by	'redir_command_on'.   You  should note
			   that	this script is called atexit() and thus	it has
			   not	high  privileges.  You should provide a	setuid
			   program or set ec_uid to 0 in order to be sure that
			   the script is executed successfully.

ORIGINAL AUTHORS
       Alberto Ornaghi (ALoR) <alor@users.sf.net>
       Marco Valleri (NaGA) <naga@antifork.org>

PROJECT	STEWARDS
       Emilio Escobar (exfil)  <eescobar@gmail.com>
       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>

OFFICIAL DEVELOPERS
       Mike Ryan (justfalter)  <falter@gmail.com>
       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
       Ryan Linn   <sussuro@happypacket.net>
       Jacob Baines   <baines.jacob@gmail.com>

CONTRIBUTORS
       Dhiru Kholia (kholia)  <dhiru@openwall.com>
       Alexander Koeppe	(koeppea)  <format_c@online.de>
       Martin Bos (PureHate)  <purehate@backtrack.com>
       Enrique Sanchez
       Gisle Vanem  <giva@bgnett.no>
       Johannes	Bauer  <JohannesBauer@gmx.de>
       Daten (Bryan Schneiders)	 <daten@dnetc.org>

SEE ALSO
       ettercap(8)  ettercap_curses(8)	ettercap_plugins(8) etterlog(8)	etter-
       filter(8) ettercap-pkexec(8)

ettercap 0.8.3.1						 ETTER.CONF(5)

NAME | DESCRIPTION | ORIGINAL AUTHORS | PROJECT STEWARDS | OFFICIAL DEVELOPERS | CONTRIBUTORS | SEE ALSO

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=etter.conf&sektion=5&manpath=FreeBSD+12.2-RELEASE+and+Ports>

home | help