Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
ETTERCAP-CURSES(8)	    System Manager's Manual	    ETTERCAP-CURSES(8)

       ettercap	- Man page for the Ncurses GUI.

       The curses GUI is quite simple and intuitive.
       It  is  menu-driven.  Every  flag  or  function	can be modified/called
       through the upper menu. All user	messages are  printed  in  the	bottom
       window.	If you want to see the old messages, you can scroll the	window
       buffer by pressing the UP, DOWN,	PPAGE, NPAGE keys.  The	middle part is
       used to display information or dialogs for the user.

       The  menus can be opened	by pressing the	relative hotkey. For the menus
       the hotkey is represented by the	uppercase initial letter of the	 title
       (e.g.  'S'  for Sniffing, 'T' for Targets). The functions within	a menu
       can be called by	pressing the hotkey depicted near the function name on
       the  right.  Hotkeys  prefixed  with 'C-' are to	be used	in conjunction
       with the	CTRL key (e.g. 'C-f' means CTRL+f).

       You can switch the focus	between	the objects on the screen by  pressing
       the TAB key or by clicking on it	with the mouse (if you are running et-
       tercap within an	xterm).	Mouse events are supported  only  through  the
       xterm.  You  can	use the	mouse to select	objects, open a	menu, choose a
       function, scroll	the elevators for the scrolling	windows, etc etc.

       When you	open multiple windows in the middle part, they	will  overlap.
       Use the TAB key to switch between them. Use CTRL+Q to close the focused
       You can also use	CTRL+Q to close	the input dialog if you	want to	cancel
       the requested input. (i.e. you have selected the	wrong function and you
       want to go back).

       To have a quick help on the shortcuts you can use against a  particular
       window press the	SPACE key. A help window will be displayed with	a list
       of shortcuts that can be	used. If the window does not appear, no	short-
       cuts are	available.

       To use the ncurses GUI you have to:

       - compile ettercap with ncurses support (obviously)
       - run it	with the -C flag

       Passing	the  -C	flag is	sufficient, but	if you want you	can pass other
       flags that will be automatically	set for	the ncurses GUI. You  will  be
       able to override	them using the menu to change the options.

       As  soon	 as  ettercap  is  launched  with the Ncurses GUI, you will be
       prompted	with multiple choices. The first screen	lets you select	if you
       want  to	open a pcap file or dump the sniffed traffic to	a file,	if you
       want unified sniffing or	bridged	one, permits you to set	a pcap file on
       the captured traffic and	enables	you to log all the sniffed data.

       Once  you  have	selected  a  sniffing  method  (from  file, unified or
       bridged)	this screen will not be	reachable anymore. The only way	is  to
       restart ettercap.

       Let's analyze each menu in the start screen:


		     Open  a pcap file and analyze it. All the functionalities
		     available for live	sniffing are in	place except for those
		     sending  or  forwarding  packets  (mitm  attacks  and  so

	      Dump to file...
		     All the traffic sniffed  by  the  live  capture  will  be
		     dumped  to	 that file. The	filters, not the targets, have
		     effects on	this file, as all the packets received by pcap
		     will be dumped. The only way to not dump a	certain	packet
		     is	to set a proper	pcap filter (see below).

		     Exits from	ettercap and returns to	the command prompt.


	      Unified sniffing...
		     Choosing this function you	will be	prompted to select the
		     network  interface	 to be used for	sniffing. The first up
		     and running interface is suggested	in the input box.  For
		     an	 explanation of	what unified sniffing is, refer	to et-
		     TIP: if you use the 'u' hotkey, this step will be skipped
		     and the default interface is automatically	selected.

	      Bridged sniffing...
		     After  selecting  the two interfaces to be	used, you will
		     enter the Bridged sniffing	mode. For  an  explanation  of
		     what bridged sniffing is, refer to	ettercap(8).

	      Set pcap filter...
		     Here you can insert a tcpdump-like	filter for the captur-
		     ing process.
		     IMPORTANT:	if you manage to use a mitm  attack,  remember
		     that  if  ettercap	 does not see a	packet,	it will	NOT be
		     forwarded.	So be sure of what you are doing by setting  a
		     pcap filter.


		     This  enable/disable  the	unoffensive flag. The asterisk
		     '*' means "the option is enabled".	Otherwise  the	option
		     is	not enabled.

	      Promisc mode
		     Enable/disable the	promisc	mode for the live capture on a
		     network interface.	 This is an "asterisk-option"  as  the
		     unoffensive one.

	      Set netmask
		     Use  the  specified netmask instead of the	one associated
		     with the current iface. This option is useful if you have
		     the  NIC  with  an	 associated netmask of class B and you
		     want to scan (with	the arp	scan) only a C class.

       Once you	have selected an offline sniffing or a live capture, the upper
       menu is modified	and you	can start to do	the interesting	things...
       Some of the following menu are only available in	live capture.


	      Start sniffing
		     Starts  the  sniffing  process depending on what you have
		     selected on startup (live or from file)

	      Stop sniffing
		     Stops the sniffing	thread.

		     Returns to	your favourite shell ;)


	      Current Targets
		     Displays a	list of	hosts in each TARGET. You  can	selec-
		     tively remove a host by selecting it and press 'd'	or add
		     a new host	pressing 'a'. To switch	between	the two	lists,
		     use the ARROWS keys.

	      Select TARGET(s)
		     Lets  you	select	the  TARGET(s)	as explained in	etter-
		     cap(8). The syntax	is the same as for  the	 command  line

		     You can choose to sniff only TCP, only UDP	or both	(ALL).

	      Reverse matching
		     Reverse  the  matching of a packet. It is equivalent to a
		     NOT before	the target specification.

	      Wipe Targets
		     Restores both TARGETS to ANY/ANY/ANY


	      Hosts list
		     Displays the list of hosts	detected through an  ARP  scan
		     or	converted from the passive profiles. This list is used
		     by	MITM attacks when the ANY target is  selected,	so  if
		     you want to exclude a host	from the attack, simply	delete
		     it	from the list.
		     You can remove a host from	the list by pressing 'd',  add
		     it	 to  TARGET1  by  pressing '1' or add it to TARGET2 by
		     pressing '2'.

	      Scan for hosts
		     Perform the ARP scan of the netmask if no TARGETS are se-
		     lected.  If TARGETS was specified it only scans for those

	      Load from	file...
		     Loads the hosts list from a file  previously  saved  with
		     "save to file" or hand crafted.

	      Save to file...
		     Save the current hosts list to a file.


		     Displays the connection list. To see detailed information
		     about a connection	press 'd', or press 'k'	to kill	it. To
		     see  the traffic for a specific connection, select	it and
		     press enter. Once the two-panel  interface	 is  displayed
		     you  can move the focus with the arrow keys. Press	'j' to
		     switch between joined and split visualization. Press  'k'
		     to	kill the connection. Press 'y' to inject interactively
		     and 'Y' to	inject a file. Note that it is important which
		     panel  has	the focus as the injected data will be sent to
		     that address.
		     HINT: connections marked with  an	asterisk  contain  ac-
		     count(s) information.

		     Displays the passive profile hosts	list. Selecting	a host
		     will display the relative details (including account with
		     user and pass for that host).
		     You  can  convert the passive profile list	into the hosts
		     list by pressing 'c'.  To purge remote hosts, press  'l'.
		     To	 purge	local  hosts, press 'r'. You can also dump the
		     current profile to	a file by  pressing  'd';  the	dumped
		     file can be opened	with etterlog(8).
		     HINT: profiles marked with	an asterisk contain account(s)

		     Displays some statistics about the	sniffing process.

	      Resolve IP addresses
		     Enables DNS resolution for	all the	 sniffed  IP  address.
		     CAUTION:  this  will extremely slow down ettercap.	By the
		     way the passive  dns  resolution  is  always  active.  It
		     sniffs  dns  replies and stores them in a cache. If an ip
		     address is	present	in that	cache, it  will	 be  automati-
		     cally resolved. It	is dns resolution for free... ;)

	      Visualization method
		     Change  the  visualization	 method	 for the sniffed data.
		     Available methods:	ascii, hex, ebcdic, text, html.

	      Visualization regex
		     Set the visualization regular  expression.	 Only  packets
		     matching  this  regex will	be displayed in	the connection
		     data window.

	      Set the WiFi key
		     Set the WiFi key used to decrypt WiFi encrypted  packets.
		     See ettercap(8) for the format of the key.


	      [...]  For  each type of attack, a menu entry is displayed. Sim-
		     ply select	the attack you want  and  fill	the  arguments
		     when  asked.  You	can activate more than one attack at a

	      Stop mitm	attack(s)
		     Stops all the mitm	attacks	currently active.


	      Load a filter...
		     Load a precompiled	filter file. The file must be compiled
		     with etterfilter(8) before	it can be loaded.

	      Stop filtering
		     Unload the	filter and stop	filtering the connections.


	      Log all packets and infos...
		     Given a file name,	it will	create two files: filename.eci
		     (for information about hosts) and filename.ecp  (for  all
		     the  interesting packets).	This is	the same as the	-L op-

	      Log only infos...
		     This is used only to sniff	information about hosts	 (same
		     as	the -l option).

	      Stop logging info
		     Come on...	it is self explanatory.

	      Log user messages...
		     Will  log all the messages	appearing in the bottom	window
		     (same as -m option).

	      Compressed file
		     Asterisk-option to	control	whether	 or  not  the  logfile
		     should be compressed.


	      Manage the plugins
		     Opens  the	 plugin	 management  window.  You can select a
		     plugin and	activate it by pressing	'enter'.  Plugins  al-
		     ready  active can be recognized by	the [1]	symbol instead
		     of	[0]. If	you select an active plugin, it	will be	 deac-

	      Load a plugin...
		     You  can  load  a	plugin file that is not	in the default
		     search path. (remember that you  can  browse  directories
		     with EC_UID permissions).

       Alberto Ornaghi (ALoR) <>
       Marco Valleri (NaGA) <>

       Emilio Escobar (exfil)  <>
       Eric Milam (Brav0Hax)  <>

       Mike Ryan (justfalter)  <>
       Gianfranco Costamagna (LocutusOfBorg)  <>
       Antonio Collarino (sniper)  <>
       Ryan Linn   <>
       Jacob Baines   <>

       Dhiru Kholia (kholia)  <>
       Alexander Koeppe	(koeppea)  <>
       Martin Bos (PureHate)  <>
       Enrique Sanchez
       Gisle Vanem  <>
       Johannes	Bauer  <>
       Daten (Bryan Schneiders)	 <>

       ettercap(8)    ettercap_plugins(8)   etterlog(8)	  etterfilter(8)   et-
       ter.conf(5) ettercap-pkexec(8)

ettercap					    ETTERCAP-CURSES(8)


Want to link to this manual page? Use this URL:

home | help