Packages and Binaries:

ettercap-common

Ettercap supports active and passive dissection of many protocols (even encrypted ones) and includes many feature for network and host analysis.

Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.

Many sniffing modes are implemented, for a powerful and complete sniffing suite. It is possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and PublicARP Based (half-duplex).

Ettercap also has the ability to detect a switched LAN, and to use OS fingerprints (active or passive) to find the geometry of the LAN.

This package contains the Common support files, configuration files, plugins, and documentation. You must also install either ettercap-graphical or ettercap-text-only for the actual GUI-enabled or text-only ettercap executable, respectively.

Installed size: 2.46 MB
How to install: sudo apt install ettercap-common

Dependencies:
  • ethtool
  • geoip-database
  • libbsd0
  • libc6
  • libcurl4
  • libgeoip1
  • libluajit-5.1-2 | libluajit2-5.1-2
  • libnet1
  • libpcap0.8
  • libpcre2-8-0
  • libssl3
  • zlib1g

ettercap-graphical

Ettercap supports active and passive dissection of many protocols (even encrypted ones) and includes many feature for network and host analysis.

Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.

Many sniffing modes are implemented, for a powerful and complete sniffing suite. It is possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and PublicARP Based (half-duplex).

Ettercap also has the ability to detect a switched LAN, and to use OS fingerprints (active or passive) to find the geometry of the LAN.

This package contains the ettercap GUI-enabled executable.

Installed size: 587 KB
How to install: sudo apt install ettercap-graphical

Dependencies:
  • ettercap-common
  • libbsd0
  • libc6
  • libgdk-pixbuf-2.0-0
  • libglib2.0-0
  • libgtk-3-0
  • libncurses6
  • libpcre2-8-0
  • libtinfo6
  • pkexec
  • zlib1g
ettercap

Multipurpose sniffer/content filter for man in the middle attacks

root@kali:~# ettercap -h

ettercap 0.8.3.1 copyright 2001-2020 Ettercap Development Team


Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]

TARGET is in the format MAC/IP/IPv6/PORTs (see the man for further detail)

Sniffing and Attack options:
  -M, --mitm <METHOD:ARGS>    perform a mitm attack
  -o, --only-mitm             don't sniff, only perform the mitm attack
  -b, --broadcast             sniff packets destined to broadcast
  -B, --bridge <IFACE>        use bridged sniff (needs 2 ifaces)
  -p, --nopromisc             do not put the iface in promisc mode
  -S, --nosslmitm             do not forge SSL certificates
  -u, --unoffensive           do not forward packets
  -r, --read <file>           read data from pcapfile <file>
  -f, --pcapfilter <string>   set the pcap filter <string>
  -R, --reversed              use reversed TARGET matching
  -t, --proto <proto>         sniff only this proto (default is all)
      --certificate <file>    certificate file to use for SSL MiTM
      --private-key <file>    private key file to use for SSL MiTM

User Interface Type:
  -T, --text                  use text only GUI
       -q, --quiet                 do not display packet contents
       -s, --script <CMD>          issue these commands to the GUI
  -C, --curses                use curses GUI
  -D, --daemon                daemonize ettercap (no GUI)
  -G, --gtk                   use GTK+ GUI

Logging options:
  -w, --write <file>          write sniffed data to pcapfile <file>
  -L, --log <logfile>         log all the traffic to this <logfile>
  -l, --log-info <logfile>    log only passive infos to this <logfile>
  -m, --log-msg <logfile>     log all the messages to this <logfile>
  -c, --compress              use gzip compression on log files

Visualization options:
  -d, --dns                   resolves ip addresses into hostnames
  -V, --visual <format>       set the visualization format
  -e, --regex <regex>         visualize only packets matching this regex
  -E, --ext-headers           print extended header for every pck
  -Q, --superquiet            do not display user and password

LUA options:
      --lua-script <script1>,[<script2>,...]     comma-separted list of LUA scripts
      --lua-args n1=v1,[n2=v2,...]               comma-separated arguments to LUA script(s)

General options:
  -i, --iface <iface>         use this network interface
  -I, --liface                show all the network interfaces
  -Y, --secondary <ifaces>    list of secondary network interfaces
  -n, --netmask <netmask>     force this <netmask> on iface
  -A, --address <address>     force this local <address> on iface
  -P, --plugin <plugin>       launch this <plugin> - multiple occurance allowed
      --plugin-list <plugin1>,[<plugin2>,...]       comma-separated list of plugins
  -F, --filter <file>         load the filter <file> (content filter)
  -z, --silent                do not perform the initial ARP scan
  -6, --ip6scan               send ICMPv6 probes to discover IPv6 nodes on the link
  -j, --load-hosts <file>     load the hosts list from <file>
  -k, --save-hosts <file>     save the hosts list to <file>
  -W, --wifi-key <wkey>       use this key to decrypt wifi packets (wep or wpa)
  -a, --config <config>       use the alternative config file <config>

Standard options:
  -v, --version               prints the version and exit
  -h, --help                  this help screen



ettercap-pkexec

etterfilter

Filter compiler for ettercap content filtering engine

root@kali:~# man etterfilter
ETTERFILTER(8)              System Manager's Manual             ETTERFILTER(8)

NAME
       etterfilter - Filter compiler for ettercap content filtering engine

SYNOPSIS
       etterfilter [OPTIONS] FILE

DESCRIPTION
       The etterfilter utility is used to compile source filter files into bi-
       nary filter files that can be interpreted by the JIT interpreter in the
       ettercap(8)  filter  engine. You have to compile your filter scripts in
       order to use them in ettercap. All syntax/parse errors will be  checked
       at compile time, so you will be sure to produce a correct binary filter
       for ettercap.

       GENERAL OPTIONS

       -o, --output <FILE>
              you can specify the output file for a source filter file. By de-
              fault the output is filter.ef.

       -t, --test <FILE>
              you  can analyze a compiled filter file with this option. etter-
              filter will print in a human readable form all the  instructions
              contained  in it. It is a sort of "disassembler" for binary fil-
              ter files.

       -d, --debug
              prints some debug messages during the compilation. Use  it  more
              than once to increase the debug level ( etterfilter -ddd ... ).

       -w, --suppress-warnings
              Don't  exit on warnings. With this option the compiler will com-
              pile the script even if it contains warnings.

       STANDARD OPTIONS

       -v, --version
              Print the version and exit.

       -h, --help
              prints the help screen with a short summary of the available op-
              tions.

       SCRIPTS SYNTAX
              A script is a compound of instructions. It is  executed  sequen-
              tially  and you can make branches with the 'if' statements. 'if'
              and 'if/else' statements are the only supported.  No  loops  are
              implemented.  The  syntax  is almost like C code except that you
              have to put 'if' blocks into graph parentheses '{' '}', even  if
              they contain only one instruction.

              NOTE:  you have to put a space between the 'if' and the '('. You
              must not put the space between the function name and the '('.

              Example:
              if (conditions) { }
              func(args...);

              The conditions for an 'if' statement can be either functions  or
              comparisons.  Two or more conditions can be linked together with
              logical operators like OR '||' and AND '&&'.

              Example:
              if (tcp.src == 21 && search(DATA.data, "ettercap")) {
              }

              Pay attention to the operator precedence.  You cannot use paren-
              theses to group conditions, so be careful with the order. An AND
              at  the  beginning  of  a  conditions block will exclude all the
              other tests if it is evaluated as false. The parsing is left-to-
              right, when an operator is found: if it is an AND and the previ-
              ous condition is false, all the statement is evaluated as false;
              if it is an OR the parsing goes on  even  if  the  condition  is
              false.

              Example:
              if (ip.proto == UDP || ip.proto == TCP && tcp.src == 80) {
              }

              if (ip.proto == TCP && tcp.src == 80 || ip.proto == UDP) {
              }

              the  former  condition  will  match all udp or http traffic. The
              latter is wrong, because if the packet is  not  tcp,  the  whole
              condition block will be evaluated as false.  If you want to make
              complex  conditions,  the  best way is to split them into nested
              'if' blocks.

              Since etterfilter support both IP address families,  you  should
              care  whether  you use 'ip.proto' which is specific for the IPv4
              address family or it's IPv6 couterpart 'ipv6.nh'. Especially for
              the L4 protocol matching using 'ip.proto' and/or 'ipv6.nh',  you
              should be careful if you're really acting on the right protocol.
              This  should  be  enforced  using  the  L3  protocol  identifier
              'eth.proto'.

              Example:
              if (eth.proto == IP && ip.proto ==  TCP  &&  tcp.dst  ==  80  ||
              tcp.src == 80) {
              }

              if  (eth.proto  ==  IP6  &&  ipv6.nh  == TCP && tcp.dst == 80 ||
              tcp.src == 80) {
              }

              if (tcp.dst == 80 || tcp.src == 80) {
              }

              The first example correctly matches http traffic  only  on  IPv4
              while  the  second  would  match  http traffic only on IPv6. The
              thrid example matches http regardless it's IP address familiy.

              Every instruction in a block must end with a semicolon ';'.

              Comparisons are implemented with the '==' operator  and  can  be
              used  to compare numbers, strings or ip addresses. An ip address
              MUST be enclosed within two single quotes (eg. '192.168.0.7'  or
              '2001:db8::2'). You can also use the 'less than' ('<'), 'greater
              than'  ('>'),  'less  or  equal'  ('<=')  and 'greater or equal'
              ('>=') operators. The lvalue of a comparison must be  an  offset
              (see later)

              Example:
              if (DATA.data + 20 == "ettercap" && ip.ttl > 16) {
              }

              Assignments are implemented with the '=' operator and the lvalue
              can be an offset (see later). The rvalue can be a string, an in-
              teger or a hexadecimal value.

              Example:
              ip.ttl = 0xff;
              DATA.data + 7 = "ettercap NG";

              You  can  also  use the 'inc' and 'dec' operations on the packet
              fields. The operators used are '+=' and '-='. The rvalue can  be
              an integer or a hexadecimal value.

              Example:
              ip.ttl += 5;

              More examples can be found in the etter.filter.examples file.

       OFFSET DEFINITION
              An offset is identified by a virtual pointer. In short words, an
              offset is a pointer to the packet buffer. The virtual pointer is
              a tuple <L, O, S>, where L is the iso/osi level, O is the offset
              in that level and S is the size of the virtual pointer.  You can
              make algebraic operations on a virtual pointer and the result is
              still  an  offset. Specifying 'vp + n' will result in a new vir-
              tual pointer <L, O+n, S>.  And this is perfectly legal, we  have
              changed the internal offset of that level.

              Virtual  pointers are in the form 'name.field.subfield'. For ex-
              ample 'ip.ttl' is the virtual pointer for the Time To Live field
              in the IP header of a packet. It will  be  translated  as  <L=3,
              O=9,  S=1>. Indeed it is the 9th byte of level 3 and its size is
              1 byte. 'ip.ttl + 1' is the same as 'ip.proto'  since  the  10th
              byte  of  the  IP  header is the protocol encapsulated in the IP
              packet.  Note that since etterfilter also supports processing of
              IPv6, the above mentioned only applies for  IPv4  packets  while
              counterpart in IPv6 would be 'ipv6.nh'.

              The list of all supported virtual pointers is in the file etter-
              filter.tbl.  You  can  add your own virtual pointers by adding a
              new table or modifying the existing ones. Refer to the  comments
              at  the  beginning of the file for the syntax of etterfilter.tbl
              file.

       SCRIPTS FUNCTIONS

       search(where, what)
              this function searches the string 'what' in the buffer  'where'.
              The  buffer  can be either DATA.data or DECODED.data. The former
              is the payload at layer DATA (ontop TCP or UDP) as it is  trans-
              mitted  on the wire, the latter is the payload decoded/decrypted
              by dissectors.
              So, if you want to search in an SSH connection, it is better  to
              use 'DECODED.data' since 'data' will be encrypted.
              The string 'what' can be binary. You have to escape it.

              example:
              search(DATA.data, "\x41\x42\x43")

       regex(where, regex)
              this  function  will  return true if the 'regex' has matched the
              buffer 'where'.  The  considerations  about  'DECODED.data'  and
              'DATA.data' mentioned for the function 'search' are the same for
              the regex function.

              NOTE: regex can be used only against a string buffer.

              example:
              regex(DECODED.data, ".*login.*")

       pcre_regex(where, pcre_regex ... )
              this  function  will  evaluate a perl compatible regular expres-
              sion. You can match against both DATA and DECODED, but  if  your
              expression  modifies  the buffer, it makes sense to operate only
              on DATA. The function accepts 2 or 3 parameters depending on the
              operation you want. The two parameter form is used only to match
              a pattern. The three parameter form means that you want to  make
              a  substitution.  In  both  cases,  the  second parameter is the
              search string.
              You can use $n in the replacement string. These placeholders are
              referred to the groups  created  in  the  search  string.  (e.g.
              pcre_regex(DATA.data,    "^var1=([:digit:]*)&var2=([:digit:]*)",
              "var1=$2&var2=$1") will swap the value of var1 and var2).
              NOTE: The pcre support is optional in ettercap and will  be  en-
              abled only if you have the libpcre installed.  The compiler will
              warn  you  if you try to compile a filter that contains pcre ex-
              pressions but you don't have libpcre. Use the -w option to  sup-
              press the warning.

              example:
              pcre_regex(DATA.data, ".*foo$")
              pcre_regex(DATA.data, "([^ ]*) bar ([^ ]*)", "foo $1 $2")

       replace(what, with)
              this function replaces the string 'what' with the string 'with'.
              They  can  be binary string and must be escaped. The replacement
              is always performed in DATA.data since is the only payload which
              gets forwarded. The 'DECODED.data' buffer is  used  only  inter-
              nally and never reaches the wire.

              example:
              replace("ethercap", "ettercap")

       inject(what)
              this  function  injects the content of the file 'what' after the
              packet being processed. It always injects in DATA.data. You  can
              use  it  to  replace the entire packet with a fake one using the
              drop() function right before the inject() command.  In that case
              the filtering engine will drop the current packet and inject the
              fake one.

              example:
              inject("./fake_packet")

       log(what, where)
              this function dumps in the file 'where' the  buffer  'what'.  No
              information  is  stored  about  the  packet, only the payload is
              dumped. So you will see the stream in the file. If you  want  to
              log  packets in a more enhanced mode, you need to use the etter-
              cap -L option and analyze it with etterlog(8).
              The file 'where' must be writable to the user  EC_UID  (see  et-
              ter.conf(5)).

              example:
              log(DECODED.data, "/tmp/interesting.log")

       msg(message)
              this  function  displays  a message to the user in the User Mes-
              sages window. It is useful to let the user know whether  a  par-
              ticular filter has been successful or not.

              example:
              msg("Packet filtered successfully")

       drop() this  function marks the packet "to be dropped". The packet will
              not be forwarded to the real destination.

              example:
              drop()

       kill() this function kills the connection that owns the matched packet.
              If it is a TCP connection, a RST is sent to both  sides  of  the
              connection. If it is an UDP connection, an ICMP PORT UNREACHABLE
              is sent to the source of the packet.

              example:
              kill()

       exec(command)
              this  function executes a shell command. You have to provide the
              full path to the command since it is executed without any  envi-
              ronment.  There  is  no way to determine if the command was suc-
              cessful or not. Furthermore, it is executed asynchronously since
              it is forked by the main process.

              example:
              exec("/bin/cat /tmp/foo >> /tmp/bar")

       execinject(command)
              this function operates similar to  the  inject  function  except
              that it uses the output of a shell command to inject data rather
              than  the  contents  of a file.  It always injects in DATA.data.
              You can use it to replace the entire packet with a fake one  us-
              ing  the  drop() function right before the execinject() command.
              In that case the filtering engine will drop the  current  packet
              and inject the fake one.

              example:
              execinject("/bin/cat /tmp/foo")

       execreplace(command)
              this  function  operates  similar to the replace function except
              that it uses the output of a shell  command  to  replace  entire
              data  rather  than the contents of a file.  An other difference,
              is that orinal packet content is pass to the  shell  command  in
              stdin.   It  always  injects in DATA.data. You can use it to re-
              place the entire packet with a fake one depending on the  origi-
              nal one.

              example:
              execreplace("tr A-Z a-z")

       exit() this  function  causes  the  filter engine to stop executing the
              code. It is useful to stop the execution of the script  on  some
              circumstance checked by an 'if' statement.

              example:
              exit()

EXAMPLES
       Here are some examples of using etterfilter.

       etterfilter filter.ecf -o filter.ef

              Compiles the source filter.ecf into a binary filter.ef

ORIGINAL AUTHORS
       Alberto Ornaghi (ALoR) <[email protected]>
       Marco Valleri (NaGA) <[email protected]>

PROJECT STEWARDS
       Emilio Escobar (exfil)  <[email protected]>
       Eric Milam (Brav0Hax)  <[email protected]>

OFFICIAL DEVELOPERS
       Mike Ryan (justfalter)  <[email protected]>
       Gianfranco Costamagna (LocutusOfBorg)  <[email protected]>
       Antonio Collarino (sniper)  <[email protected]>
       Ryan Linn   <[email protected]>
       Jacob Baines   <[email protected]>

CONTRIBUTORS
       Dhiru Kholia (kholia)  <[email protected]>
       Alexander Koeppe (koeppea)  <[email protected]>
       Martin Bos (PureHate)  <[email protected]>
       Enrique Sanchez
       Gisle Vanem  <[email protected]>
       Johannes Bauer  <[email protected]>
       Daten (Bryan Schneiders)  <[email protected]>

SEE ALSO
       etter.filter.examples
       ettercap(8) etterlog(8) etter.conf(5) ettercap_curses(8) ettercap_plug-
       ins(8) ettercap-pkexec(8)

ettercap 0.8.3.1                                                ETTERFILTER(8)

etterlog

Log analyzer for ettercap log files

root@kali:~# man etterlog
ETTERLOG(8)                 System Manager's Manual                ETTERLOG(8)

NAME
       etterlog - Log analyzer for ettercap log files

SYNOPSIS
       etterlog [OPTIONS] FILE

DESCRIPTION
       Etterlog  is  the log analyzer for logfiles created by ettercap. It can
       handle both compressed (created with  -Lc)  or  uncompressed  logfiles.
       With  this tool you can manipulate binary files as you like and you can
       print data in different ways all the times you want (in  contrast  with
       the  previous  logging system which was used to dump in a single static
       manner).
       You will be able to dump traffic  from  only  one  connection  of  your
       choice,  from  only one or more hosts, print data in hex, ascii, binary
       etc...

       TIP: All non-useful messages are printed to stderr, so you can save the
       output from etterlog with the following command:

       etterlog [options] logfile > outfile

              Thus you can dump for example a binary file from an ftp  connec-
              tion  if  you print the data in binary mode, without headers and
              selecting only the ftp server as the source  of  the  communica-
              tion.

       GENERAL OPTIONS

       -a, --analyze
              Analyze a log file and display some interesting statistics.

       -c, --connections
              Parse the log file and print a table of unique connections (port
              to  port).  This option can be used only on LOG_PACKET logfiles.
              On LOG_INFO logfiles it is useless.

              TIP: you can search for a particular host by using the following
              command:

              etterlog -c logfile.ecp | grep 10.0.0.1

       -f, --filter <TARGET>
              Print only packets coming from or going to  TARGET.  The  TARGET
              specification is the same as in ettercap.
              TARGET  is in the form MAC/IPs/PORTs. With IPv6 support enabled,
              TARGET is in the form MAC/IPs/IPv6/PORTs. Omitting one  or  more
              of its parts will be equivalent to set them to ANY. IPs and IPv6
              will be treated as one part so that it's only set to ANY if both
              IPs  and  IPv6 is omitted. This concludes in a result most users
              would expect.

              If the log type is LOG_INFO the target is used to display  hosts
              matching  the mac, ip and having the specified port(s) open. For
              example the target //80  will  display  only  information  about
              hosts with a running web server.

       -r, --reverse
              Reverse  the matching in the TARGET selection. It means not(TAR-
              GET). All but the selected TARGET.

       -t, --proto <PROTO>
              Sniff only PROTO packets (default is TCP + UDP).  This option is
              only useful in "simple" mode. If you start ettercap in  interac-
              tive mode both TCP and UDP are sniffed.
              PROTO can be "tcp", "udp" or "all" for both.

       -F, --filcon <CONNECTION>
              Print packets belonging only to this CONNECTION.
              CONNECTION is in the form PROTO:SOURCE:DEST. SOURCE and DEST are
              in the form IP:PORT.

              example:

              etterlog -F TCP:10.0.0.23:3318:198.182.196.56:80

       -s, --only-source
              Display only packets that are sent by the source of the selected
              CONNECTION.   This  option  makes sense only in conjunction with
              the -F option.

              TIP: if you want to save a file transferred in an  HTTP  or  FTP
              connection, you can use the following command:

              etterlog  -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp
              > example.tar.gz

       -d, --only-dest
              Same as --only-source but it filters on the destination host.

       -n, --no-headers
              Do not print the header of each packet. This option is useful if
              you want to save a file in binary format  (-B  option).  Without
              the  headers  you can redirect the output to a file and you will
              get the original stream.

              NOTE: the time stamp in the header is in the form:  Thu  Mar  27
              23:03:31  2003 [169396], the value in the square brackets is ex-
              pressed in microseconds

       -m, --show-mac
              In the headers show also the mac addresses corresponding to  the
              ip addresses.

       -k, --color
              If  used  in conjunction with -F it displays the source and dest
              of the  connection  using  different  colors.  If  used  with  a
              LOG_INFO file it prints LAN hosts in green, REMOTE hosts in blue
              and GATEWAYS in red.

       -l, --only-local
              Used displaying an INFO file, it displays information only about
              local hosts.

       -L, --only-remote
              Used displaying an INFO file, it displays information only about
              remote hosts.

       SEARCH OPTIONS

       -e, --regex <REGEX>
              Display only packets matching the regex <REGEX>.
              If  this  option is used against a LOG_PACKET logfile, the regex
              is executed on the  payload  of  the  packet.  If  the  type  is
              LOG_INFO,  the  regex  is executed on all the fields of the host
              profile (OS, banners, service and ethernet adapter).
              NOTE: the regex is compiled with the REG_ICASE flag (case insen-
              sitive).

       -u, --user <USER>
              Display information about this user.  The  search  is  performed
              over all the user/pass couples collected across all hosts.

       -p, --passwords
              Print only the collected account information for each host. This
              prevents  the huge profile output. It can be used in conjunction
              with the -u option to filter the users. An asterisk '*' used  in
              front of an account represents a failed login attempt.

       -i, --show-client
              Show  the  client ip address when displaying the collected users
              and passwords. It may be useful when ACLs are in place.

       -I, --client <IP>
              Show passwords only coming from a specific <IP>. This is  useful
              to view all the usernames and passwords of a client.

       EDITING OPTIONS

       -C, --concat
              Use this option to concatenate two (or more) files into one sin-
              gle  file.  This  is  useful  if you have collected ettercap log
              files from multiple sources and want to have an unified  report.
              The output file must be specified with the -o option and the in-
              put files are listed as normal arguments.

              example:
              etterlog -C -o outfile input1 input2 input3

       -o, --outfile <FILE>
              specifies the output file for a concatenation.

       VISUALIZATION METHOD

       -B, --binary
              Print  data  as  they are, in binary form. Useful to dump binary
              data to a file (as described above).

       -X, --hex
              Print the packets in hex format.

              example:

              the string  "HTTP/1.1 304 Not Modified"  becomes:

              0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1 304 Not
              0010: 204d 6f64 6966 6965 64                    Modified

       -A, --ascii
              Print only "printable" characters, the others are  displayed  as
              dots '.'

       -T, --text
              Print only the "printable" characters and skip the others.

       -E, --ebcdic
              Convert an EBCDIC text to ASCII.

       -H, --html
              Strip all html tags from the text. A tag is every string between
              '<' and '>'.

              example:

              <title>This  is  the  title</title>,  but the following <string>
              will not be displayed.

              This is the title, but the following will not be displayed.

       -U, --utf8 <encoding>
              Print the packets in  UTF-8  format.  The  <encoding>  parameter
              specifies  the  encoding to be used while performing the conver-
              sion. Use the `iconv --list` command to obtain  a  list  of  all
              supported encodings.

       -Z, --zero
              Print always the void string. i.e. print only header information
              and no packet content will be printed.

       -x, --xml
              Print the host information in xml form, so you can parse it with
              your favourite program.

              The DTD associated with the xml output is in share/etterlog.dtd

       STANDARD OPTIONS

       -v, --version
              Print the version and exit.

       -h, --help
              Print  the help screen with a short summary of the available op-
              tions.

EXAMPLES
       Here are some examples of using etterlog.

       etterlog -k -l dump.eci

              Displays information about local hosts in different colors.

       etterlog -X dump.ecp

              Prints packets in HEX mode with full headers.

       etterlog -c dump.ecp

              Displays the list of connections logged in the file.

       etterlog -Akn -F TCP:10.0.0.1:13423:213.203.143.52:6666 dump.ecp

              Displays the IRC traffic made by 10.0.0.1 in ASCII mode, without
              headers information and in colored mode.

       etterlog -H -t tcp -f //80 dump.ecp

              Dumps all HTTP traffic and strips html tags.

       etterlog -Z -r -f /10.0.0.2/22 dump.ecp

              Displays only the headers of all connections except ssh on  host
              10.0.0.2

       etterlog -A -e 'user' -f //110 dump.ecp

              Displays only POP packets containing the 'user' regexp (case in-
              sensitive).

       etterlog -u root dump.eci

              Displays information about all the accounts of the user 'root'.

       etterlog -e Apache dump.eci

              Displays information about all the hosts running 'Apache'.

       etterlog -e Linux dump.eci

              Displays  information about all the hosts with the 'Linux' oper-
              ating system.

       etterlog -t tcp -f //110 dump.eci

              Displays information about all the hosts with the tcp  port  110
              open.

       etterlog -t udp dump.eci

              Displays  information  about all the hosts with at least one UDP
              port open.

       etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp > exam-
       ple.tar.gz

              Dumps in binary form the data sent by  10.0.0.1  over  the  data
              port  of  FTP.  Since  the headers are omitted, you will get the
              file as it was.

ORIGINAL AUTHORS
       Alberto Ornaghi (ALoR) <[email protected]>
       Marco Valleri (NaGA) <[email protected]>

PROJECT STEWARDS
       Emilio Escobar (exfil)  <[email protected]>
       Eric Milam (Brav0Hax)  <[email protected]>

OFFICIAL DEVELOPERS
       Mike Ryan (justfalter)  <[email protected]>
       Gianfranco Costamagna (LocutusOfBorg)  <[email protected]>
       Antonio Collarino (sniper)  <[email protected]>
       Ryan Linn   <[email protected]>
       Jacob Baines   <[email protected]>

CONTRIBUTORS
       Dhiru Kholia (kholia)  <[email protected]>
       Alexander Koeppe (koeppea)  <[email protected]>
       Martin Bos (PureHate)  <[email protected]>
       Enrique Sanchez
       Gisle Vanem  <[email protected]>
       Johannes Bauer  <[email protected]>
       Daten (Bryan Schneiders)  <[email protected]>

SEE ALSO
       ettercap(8)  etterfilter(8)  etter.conf(5)  ettercap_curses(8)   etter-
       cap_plugins(8) ettercap-pkexec(8)

ettercap 0.8.3.1                                                   ETTERLOG(8)

ettercap-text-only

Ettercap supports active and passive dissection of many protocols (even encrypted ones) and includes many feature for network and host analysis.

Data injection in an established connection and filtering (substitute or drop a packet) on the fly is also possible, keeping the connection synchronized.

Many sniffing modes are implemented, for a powerful and complete sniffing suite. It is possible to sniff in four modes: IP Based, MAC Based, ARP Based (full-duplex) and PublicARP Based (half-duplex).

Ettercap also has the ability to detect a switched LAN, and to use OS fingerprints (active or passive) to find the geometry of the LAN.

This package contains the ettercap text-mode-only executable.

Installed size: 308 KB
How to install: sudo apt install ettercap-text-only

Dependencies:
  • ettercap-common
  • libbsd0
  • libc6
  • libncurses6
  • libpcre2-8-0
  • libtinfo6
  • zlib1g
ettercap

Multipurpose sniffer/content filter for man in the middle attacks

root@kali:~# ettercap -h

ettercap 0.8.3.1 copyright 2001-2020 Ettercap Development Team


Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]

TARGET is in the format MAC/IP/IPv6/PORTs (see the man for further detail)

Sniffing and Attack options:
  -M, --mitm <METHOD:ARGS>    perform a mitm attack
  -o, --only-mitm             don't sniff, only perform the mitm attack
  -b, --broadcast             sniff packets destined to broadcast
  -B, --bridge <IFACE>        use bridged sniff (needs 2 ifaces)
  -p, --nopromisc             do not put the iface in promisc mode
  -S, --nosslmitm             do not forge SSL certificates
  -u, --unoffensive           do not forward packets
  -r, --read <file>           read data from pcapfile <file>
  -f, --pcapfilter <string>   set the pcap filter <string>
  -R, --reversed              use reversed TARGET matching
  -t, --proto <proto>         sniff only this proto (default is all)
      --certificate <file>    certificate file to use for SSL MiTM
      --private-key <file>    private key file to use for SSL MiTM

User Interface Type:
  -T, --text                  use text only GUI
       -q, --quiet                 do not display packet contents
       -s, --script <CMD>          issue these commands to the GUI
  -C, --curses                use curses GUI
  -D, --daemon                daemonize ettercap (no GUI)
  -G, --gtk                   use GTK+ GUI

Logging options:
  -w, --write <file>          write sniffed data to pcapfile <file>
  -L, --log <logfile>         log all the traffic to this <logfile>
  -l, --log-info <logfile>    log only passive infos to this <logfile>
  -m, --log-msg <logfile>     log all the messages to this <logfile>
  -c, --compress              use gzip compression on log files

Visualization options:
  -d, --dns                   resolves ip addresses into hostnames
  -V, --visual <format>       set the visualization format
  -e, --regex <regex>         visualize only packets matching this regex
  -E, --ext-headers           print extended header for every pck
  -Q, --superquiet            do not display user and password

LUA options:
      --lua-script <script1>,[<script2>,...]     comma-separted list of LUA scripts
      --lua-args n1=v1,[n2=v2,...]               comma-separated arguments to LUA script(s)

General options:
  -i, --iface <iface>         use this network interface
  -I, --liface                show all the network interfaces
  -Y, --secondary <ifaces>    list of secondary network interfaces
  -n, --netmask <netmask>     force this <netmask> on iface
  -A, --address <address>     force this local <address> on iface
  -P, --plugin <plugin>       launch this <plugin> - multiple occurance allowed
      --plugin-list <plugin1>,[<plugin2>,...]       comma-separated list of plugins
  -F, --filter <file>         load the filter <file> (content filter)
  -z, --silent                do not perform the initial ARP scan
  -6, --ip6scan               send ICMPv6 probes to discover IPv6 nodes on the link
  -j, --load-hosts <file>     load the hosts list from <file>
  -k, --save-hosts <file>     save the hosts list to <file>
  -W, --wifi-key <wkey>       use this key to decrypt wifi packets (wep or wpa)
  -a, --config <config>       use the alternative config file <config>

Standard options:
  -v, --version               prints the version and exit
  -h, --help                  this help screen



etterfilter

Filter compiler for ettercap content filtering engine

root@kali:~# man etterfilter
ETTERFILTER(8)              System Manager's Manual             ETTERFILTER(8)

NAME
       etterfilter - Filter compiler for ettercap content filtering engine

SYNOPSIS
       etterfilter [OPTIONS] FILE

DESCRIPTION
       The etterfilter utility is used to compile source filter files into bi-
       nary filter files that can be interpreted by the JIT interpreter in the
       ettercap(8)  filter  engine. You have to compile your filter scripts in
       order to use them in ettercap. All syntax/parse errors will be  checked
       at compile time, so you will be sure to produce a correct binary filter
       for ettercap.

       GENERAL OPTIONS

       -o, --output <FILE>
              you can specify the output file for a source filter file. By de-
              fault the output is filter.ef.

       -t, --test <FILE>
              you  can analyze a compiled filter file with this option. etter-
              filter will print in a human readable form all the  instructions
              contained  in it. It is a sort of "disassembler" for binary fil-
              ter files.

       -d, --debug
              prints some debug messages during the compilation. Use  it  more
              than once to increase the debug level ( etterfilter -ddd ... ).

       -w, --suppress-warnings
              Don't  exit on warnings. With this option the compiler will com-
              pile the script even if it contains warnings.

       STANDARD OPTIONS

       -v, --version
              Print the version and exit.

       -h, --help
              prints the help screen with a short summary of the available op-
              tions.

       SCRIPTS SYNTAX
              A script is a compound of instructions. It is  executed  sequen-
              tially  and you can make branches with the 'if' statements. 'if'
              and 'if/else' statements are the only supported.  No  loops  are
              implemented.  The  syntax  is almost like C code except that you
              have to put 'if' blocks into graph parentheses '{' '}', even  if
              they contain only one instruction.

              NOTE:  you have to put a space between the 'if' and the '('. You
              must not put the space between the function name and the '('.

              Example:
              if (conditions) { }
              func(args...);

              The conditions for an 'if' statement can be either functions  or
              comparisons.  Two or more conditions can be linked together with
              logical operators like OR '||' and AND '&&'.

              Example:
              if (tcp.src == 21 && search(DATA.data, "ettercap")) {
              }

              Pay attention to the operator precedence.  You cannot use paren-
              theses to group conditions, so be careful with the order. An AND
              at  the  beginning  of  a  conditions block will exclude all the
              other tests if it is evaluated as false. The parsing is left-to-
              right, when an operator is found: if it is an AND and the previ-
              ous condition is false, all the statement is evaluated as false;
              if it is an OR the parsing goes on  even  if  the  condition  is
              false.

              Example:
              if (ip.proto == UDP || ip.proto == TCP && tcp.src == 80) {
              }

              if (ip.proto == TCP && tcp.src == 80 || ip.proto == UDP) {
              }

              the  former  condition  will  match all udp or http traffic. The
              latter is wrong, because if the packet is  not  tcp,  the  whole
              condition block will be evaluated as false.  If you want to make
              complex  conditions,  the  best way is to split them into nested
              'if' blocks.

              Since etterfilter support both IP address families,  you  should
              care  whether  you use 'ip.proto' which is specific for the IPv4
              address family or it's IPv6 couterpart 'ipv6.nh'. Especially for
              the L4 protocol matching using 'ip.proto' and/or 'ipv6.nh',  you
              should be careful if you're really acting on the right protocol.
              This  should  be  enforced  using  the  L3  protocol  identifier
              'eth.proto'.

              Example:
              if (eth.proto == IP && ip.proto ==  TCP  &&  tcp.dst  ==  80  ||
              tcp.src == 80) {
              }

              if  (eth.proto  ==  IP6  &&  ipv6.nh  == TCP && tcp.dst == 80 ||
              tcp.src == 80) {
              }

              if (tcp.dst == 80 || tcp.src == 80) {
              }

              The first example correctly matches http traffic  only  on  IPv4
              while  the  second  would  match  http traffic only on IPv6. The
              thrid example matches http regardless it's IP address familiy.

              Every instruction in a block must end with a semicolon ';'.

              Comparisons are implemented with the '==' operator  and  can  be
              used  to compare numbers, strings or ip addresses. An ip address
              MUST be enclosed within two single quotes (eg. '192.168.0.7'  or
              '2001:db8::2'). You can also use the 'less than' ('<'), 'greater
              than'  ('>'),  'less  or  equal'  ('<=')  and 'greater or equal'
              ('>=') operators. The lvalue of a comparison must be  an  offset
              (see later)

              Example:
              if (DATA.data + 20 == "ettercap" && ip.ttl > 16) {
              }

              Assignments are implemented with the '=' operator and the lvalue
              can be an offset (see later). The rvalue can be a string, an in-
              teger or a hexadecimal value.

              Example:
              ip.ttl = 0xff;
              DATA.data + 7 = "ettercap NG";

              You  can  also  use the 'inc' and 'dec' operations on the packet
              fields. The operators used are '+=' and '-='. The rvalue can  be
              an integer or a hexadecimal value.

              Example:
              ip.ttl += 5;

              More examples can be found in the etter.filter.examples file.

       OFFSET DEFINITION
              An offset is identified by a virtual pointer. In short words, an
              offset is a pointer to the packet buffer. The virtual pointer is
              a tuple <L, O, S>, where L is the iso/osi level, O is the offset
              in that level and S is the size of the virtual pointer.  You can
              make algebraic operations on a virtual pointer and the result is
              still  an  offset. Specifying 'vp + n' will result in a new vir-
              tual pointer <L, O+n, S>.  And this is perfectly legal, we  have
              changed the internal offset of that level.

              Virtual  pointers are in the form 'name.field.subfield'. For ex-
              ample 'ip.ttl' is the virtual pointer for the Time To Live field
              in the IP header of a packet. It will  be  translated  as  <L=3,
              O=9,  S=1>. Indeed it is the 9th byte of level 3 and its size is
              1 byte. 'ip.ttl + 1' is the same as 'ip.proto'  since  the  10th
              byte  of  the  IP  header is the protocol encapsulated in the IP
              packet.  Note that since etterfilter also supports processing of
              IPv6, the above mentioned only applies for  IPv4  packets  while
              counterpart in IPv6 would be 'ipv6.nh'.

              The list of all supported virtual pointers is in the file etter-
              filter.tbl.  You  can  add your own virtual pointers by adding a
              new table or modifying the existing ones. Refer to the  comments
              at  the  beginning of the file for the syntax of etterfilter.tbl
              file.

       SCRIPTS FUNCTIONS

       search(where, what)
              this function searches the string 'what' in the buffer  'where'.
              The  buffer  can be either DATA.data or DECODED.data. The former
              is the payload at layer DATA (ontop TCP or UDP) as it is  trans-
              mitted  on the wire, the latter is the payload decoded/decrypted
              by dissectors.
              So, if you want to search in an SSH connection, it is better  to
              use 'DECODED.data' since 'data' will be encrypted.
              The string 'what' can be binary. You have to escape it.

              example:
              search(DATA.data, "\x41\x42\x43")

       regex(where, regex)
              this  function  will  return true if the 'regex' has matched the
              buffer 'where'.  The  considerations  about  'DECODED.data'  and
              'DATA.data' mentioned for the function 'search' are the same for
              the regex function.

              NOTE: regex can be used only against a string buffer.

              example:
              regex(DECODED.data, ".*login.*")

       pcre_regex(where, pcre_regex ... )
              this  function  will  evaluate a perl compatible regular expres-
              sion. You can match against both DATA and DECODED, but  if  your
              expression  modifies  the buffer, it makes sense to operate only
              on DATA. The function accepts 2 or 3 parameters depending on the
              operation you want. The two parameter form is used only to match
              a pattern. The three parameter form means that you want to  make
              a  substitution.  In  both  cases,  the  second parameter is the
              search string.
              You can use $n in the replacement string. These placeholders are
              referred to the groups  created  in  the  search  string.  (e.g.
              pcre_regex(DATA.data,    "^var1=([:digit:]*)&var2=([:digit:]*)",
              "var1=$2&var2=$1") will swap the value of var1 and var2).
              NOTE: The pcre support is optional in ettercap and will  be  en-
              abled only if you have the libpcre installed.  The compiler will
              warn  you  if you try to compile a filter that contains pcre ex-
              pressions but you don't have libpcre. Use the -w option to  sup-
              press the warning.

              example:
              pcre_regex(DATA.data, ".*foo$")
              pcre_regex(DATA.data, "([^ ]*) bar ([^ ]*)", "foo $1 $2")

       replace(what, with)
              this function replaces the string 'what' with the string 'with'.
              They  can  be binary string and must be escaped. The replacement
              is always performed in DATA.data since is the only payload which
              gets forwarded. The 'DECODED.data' buffer is  used  only  inter-
              nally and never reaches the wire.

              example:
              replace("ethercap", "ettercap")

       inject(what)
              this  function  injects the content of the file 'what' after the
              packet being processed. It always injects in DATA.data. You  can
              use  it  to  replace the entire packet with a fake one using the
              drop() function right before the inject() command.  In that case
              the filtering engine will drop the current packet and inject the
              fake one.

              example:
              inject("./fake_packet")

       log(what, where)
              this function dumps in the file 'where' the  buffer  'what'.  No
              information  is  stored  about  the  packet, only the payload is
              dumped. So you will see the stream in the file. If you  want  to
              log  packets in a more enhanced mode, you need to use the etter-
              cap -L option and analyze it with etterlog(8).
              The file 'where' must be writable to the user  EC_UID  (see  et-
              ter.conf(5)).

              example:
              log(DECODED.data, "/tmp/interesting.log")

       msg(message)
              this  function  displays  a message to the user in the User Mes-
              sages window. It is useful to let the user know whether  a  par-
              ticular filter has been successful or not.

              example:
              msg("Packet filtered successfully")

       drop() this  function marks the packet "to be dropped". The packet will
              not be forwarded to the real destination.

              example:
              drop()

       kill() this function kills the connection that owns the matched packet.
              If it is a TCP connection, a RST is sent to both  sides  of  the
              connection. If it is an UDP connection, an ICMP PORT UNREACHABLE
              is sent to the source of the packet.

              example:
              kill()

       exec(command)
              this  function executes a shell command. You have to provide the
              full path to the command since it is executed without any  envi-
              ronment.  There  is  no way to determine if the command was suc-
              cessful or not. Furthermore, it is executed asynchronously since
              it is forked by the main process.

              example:
              exec("/bin/cat /tmp/foo >> /tmp/bar")

       execinject(command)
              this function operates similar to  the  inject  function  except
              that it uses the output of a shell command to inject data rather
              than  the  contents  of a file.  It always injects in DATA.data.
              You can use it to replace the entire packet with a fake one  us-
              ing  the  drop() function right before the execinject() command.
              In that case the filtering engine will drop the  current  packet
              and inject the fake one.

              example:
              execinject("/bin/cat /tmp/foo")

       execreplace(command)
              this  function  operates  similar to the replace function except
              that it uses the output of a shell  command  to  replace  entire
              data  rather  than the contents of a file.  An other difference,
              is that orinal packet content is pass to the  shell  command  in
              stdin.   It  always  injects in DATA.data. You can use it to re-
              place the entire packet with a fake one depending on the  origi-
              nal one.

              example:
              execreplace("tr A-Z a-z")

       exit() this  function  causes  the  filter engine to stop executing the
              code. It is useful to stop the execution of the script  on  some
              circumstance checked by an 'if' statement.

              example:
              exit()

EXAMPLES
       Here are some examples of using etterfilter.

       etterfilter filter.ecf -o filter.ef

              Compiles the source filter.ecf into a binary filter.ef

ORIGINAL AUTHORS
       Alberto Ornaghi (ALoR) <[email protected]>
       Marco Valleri (NaGA) <[email protected]>

PROJECT STEWARDS
       Emilio Escobar (exfil)  <[email protected]>
       Eric Milam (Brav0Hax)  <[email protected]>

OFFICIAL DEVELOPERS
       Mike Ryan (justfalter)  <[email protected]>
       Gianfranco Costamagna (LocutusOfBorg)  <[email protected]>
       Antonio Collarino (sniper)  <[email protected]>
       Ryan Linn   <[email protected]>
       Jacob Baines   <[email protected]>

CONTRIBUTORS
       Dhiru Kholia (kholia)  <[email protected]>
       Alexander Koeppe (koeppea)  <[email protected]>
       Martin Bos (PureHate)  <[email protected]>
       Enrique Sanchez
       Gisle Vanem  <[email protected]>
       Johannes Bauer  <[email protected]>
       Daten (Bryan Schneiders)  <[email protected]>

SEE ALSO
       etter.filter.examples
       ettercap(8) etterlog(8) etter.conf(5) ettercap_curses(8) ettercap_plug-
       ins(8) ettercap-pkexec(8)

ettercap 0.8.3.1                                                ETTERFILTER(8)

etterlog

Log analyzer for ettercap log files

root@kali:~# man etterlog
ETTERLOG(8)                 System Manager's Manual                ETTERLOG(8)

NAME
       etterlog - Log analyzer for ettercap log files

SYNOPSIS
       etterlog [OPTIONS] FILE

DESCRIPTION
       Etterlog  is  the log analyzer for logfiles created by ettercap. It can
       handle both compressed (created with  -Lc)  or  uncompressed  logfiles.
       With  this tool you can manipulate binary files as you like and you can
       print data in different ways all the times you want (in  contrast  with
       the  previous  logging system which was used to dump in a single static
       manner).
       You will be able to dump traffic  from  only  one  connection  of  your
       choice,  from  only one or more hosts, print data in hex, ascii, binary
       etc...

       TIP: All non-useful messages are printed to stderr, so you can save the
       output from etterlog with the following command:

       etterlog [options] logfile > outfile

              Thus you can dump for example a binary file from an ftp  connec-
              tion  if  you print the data in binary mode, without headers and
              selecting only the ftp server as the source  of  the  communica-
              tion.

       GENERAL OPTIONS

       -a, --analyze
              Analyze a log file and display some interesting statistics.

       -c, --connections
              Parse the log file and print a table of unique connections (port
              to  port).  This option can be used only on LOG_PACKET logfiles.
              On LOG_INFO logfiles it is useless.

              TIP: you can search for a particular host by using the following
              command:

              etterlog -c logfile.ecp | grep 10.0.0.1

       -f, --filter <TARGET>
              Print only packets coming from or going to  TARGET.  The  TARGET
              specification is the same as in ettercap.
              TARGET  is in the form MAC/IPs/PORTs. With IPv6 support enabled,
              TARGET is in the form MAC/IPs/IPv6/PORTs. Omitting one  or  more
              of its parts will be equivalent to set them to ANY. IPs and IPv6
              will be treated as one part so that it's only set to ANY if both
              IPs  and  IPv6 is omitted. This concludes in a result most users
              would expect.

              If the log type is LOG_INFO the target is used to display  hosts
              matching  the mac, ip and having the specified port(s) open. For
              example the target //80  will  display  only  information  about
              hosts with a running web server.

       -r, --reverse
              Reverse  the matching in the TARGET selection. It means not(TAR-
              GET). All but the selected TARGET.

       -t, --proto <PROTO>
              Sniff only PROTO packets (default is TCP + UDP).  This option is
              only useful in "simple" mode. If you start ettercap in  interac-
              tive mode both TCP and UDP are sniffed.
              PROTO can be "tcp", "udp" or "all" for both.

       -F, --filcon <CONNECTION>
              Print packets belonging only to this CONNECTION.
              CONNECTION is in the form PROTO:SOURCE:DEST. SOURCE and DEST are
              in the form IP:PORT.

              example:

              etterlog -F TCP:10.0.0.23:3318:198.182.196.56:80

       -s, --only-source
              Display only packets that are sent by the source of the selected
              CONNECTION.   This  option  makes sense only in conjunction with
              the -F option.

              TIP: if you want to save a file transferred in an  HTTP  or  FTP
              connection, you can use the following command:

              etterlog  -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp
              > example.tar.gz

       -d, --only-dest
              Same as --only-source but it filters on the destination host.

       -n, --no-headers
              Do not print the header of each packet. This option is useful if
              you want to save a file in binary format  (-B  option).  Without
              the  headers  you can redirect the output to a file and you will
              get the original stream.

              NOTE: the time stamp in the header is in the form:  Thu  Mar  27
              23:03:31  2003 [169396], the value in the square brackets is ex-
              pressed in microseconds

       -m, --show-mac
              In the headers show also the mac addresses corresponding to  the
              ip addresses.

       -k, --color
              If  used  in conjunction with -F it displays the source and dest
              of the  connection  using  different  colors.  If  used  with  a
              LOG_INFO file it prints LAN hosts in green, REMOTE hosts in blue
              and GATEWAYS in red.

       -l, --only-local
              Used displaying an INFO file, it displays information only about
              local hosts.

       -L, --only-remote
              Used displaying an INFO file, it displays information only about
              remote hosts.

       SEARCH OPTIONS

       -e, --regex <REGEX>
              Display only packets matching the regex <REGEX>.
              If  this  option is used against a LOG_PACKET logfile, the regex
              is executed on the  payload  of  the  packet.  If  the  type  is
              LOG_INFO,  the  regex  is executed on all the fields of the host
              profile (OS, banners, service and ethernet adapter).
              NOTE: the regex is compiled with the REG_ICASE flag (case insen-
              sitive).

       -u, --user <USER>
              Display information about this user.  The  search  is  performed
              over all the user/pass couples collected across all hosts.

       -p, --passwords
              Print only the collected account information for each host. This
              prevents  the huge profile output. It can be used in conjunction
              with the -u option to filter the users. An asterisk '*' used  in
              front of an account represents a failed login attempt.

       -i, --show-client
              Show  the  client ip address when displaying the collected users
              and passwords. It may be useful when ACLs are in place.

       -I, --client <IP>
              Show passwords only coming from a specific <IP>. This is  useful
              to view all the usernames and passwords of a client.

       EDITING OPTIONS

       -C, --concat
              Use this option to concatenate two (or more) files into one sin-
              gle  file.  This  is  useful  if you have collected ettercap log
              files from multiple sources and want to have an unified  report.
              The output file must be specified with the -o option and the in-
              put files are listed as normal arguments.

              example:
              etterlog -C -o outfile input1 input2 input3

       -o, --outfile <FILE>
              specifies the output file for a concatenation.

       VISUALIZATION METHOD

       -B, --binary
              Print  data  as  they are, in binary form. Useful to dump binary
              data to a file (as described above).

       -X, --hex
              Print the packets in hex format.

              example:

              the string  "HTTP/1.1 304 Not Modified"  becomes:

              0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1 304 Not
              0010: 204d 6f64 6966 6965 64                    Modified

       -A, --ascii
              Print only "printable" characters, the others are  displayed  as
              dots '.'

       -T, --text
              Print only the "printable" characters and skip the others.

       -E, --ebcdic
              Convert an EBCDIC text to ASCII.

       -H, --html
              Strip all html tags from the text. A tag is every string between
              '<' and '>'.

              example:

              <title>This  is  the  title</title>,  but the following <string>
              will not be displayed.

              This is the title, but the following will not be displayed.

       -U, --utf8 <encoding>
              Print the packets in  UTF-8  format.  The  <encoding>  parameter
              specifies  the  encoding to be used while performing the conver-
              sion. Use the `iconv --list` command to obtain  a  list  of  all
              supported encodings.

       -Z, --zero
              Print always the void string. i.e. print only header information
              and no packet content will be printed.

       -x, --xml
              Print the host information in xml form, so you can parse it with
              your favourite program.

              The DTD associated with the xml output is in share/etterlog.dtd

       STANDARD OPTIONS

       -v, --version
              Print the version and exit.

       -h, --help
              Print  the help screen with a short summary of the available op-
              tions.

EXAMPLES
       Here are some examples of using etterlog.

       etterlog -k -l dump.eci

              Displays information about local hosts in different colors.

       etterlog -X dump.ecp

              Prints packets in HEX mode with full headers.

       etterlog -c dump.ecp

              Displays the list of connections logged in the file.

       etterlog -Akn -F TCP:10.0.0.1:13423:213.203.143.52:6666 dump.ecp

              Displays the IRC traffic made by 10.0.0.1 in ASCII mode, without
              headers information and in colored mode.

       etterlog -H -t tcp -f //80 dump.ecp

              Dumps all HTTP traffic and strips html tags.

       etterlog -Z -r -f /10.0.0.2/22 dump.ecp

              Displays only the headers of all connections except ssh on  host
              10.0.0.2

       etterlog -A -e 'user' -f //110 dump.ecp

              Displays only POP packets containing the 'user' regexp (case in-
              sensitive).

       etterlog -u root dump.eci

              Displays information about all the accounts of the user 'root'.

       etterlog -e Apache dump.eci

              Displays information about all the hosts running 'Apache'.

       etterlog -e Linux dump.eci

              Displays  information about all the hosts with the 'Linux' oper-
              ating system.

       etterlog -t tcp -f //110 dump.eci

              Displays information about all the hosts with the tcp  port  110
              open.

       etterlog -t udp dump.eci

              Displays  information  about all the hosts with at least one UDP
              port open.

       etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp > exam-
       ple.tar.gz

              Dumps in binary form the data sent by  10.0.0.1  over  the  data
              port  of  FTP.  Since  the headers are omitted, you will get the
              file as it was.

ORIGINAL AUTHORS
       Alberto Ornaghi (ALoR) <[email protected]>
       Marco Valleri (NaGA) <[email protected]>

PROJECT STEWARDS
       Emilio Escobar (exfil)  <[email protected]>
       Eric Milam (Brav0Hax)  <[email protected]>

OFFICIAL DEVELOPERS
       Mike Ryan (justfalter)  <[email protected]>
       Gianfranco Costamagna (LocutusOfBorg)  <[email protected]>
       Antonio Collarino (sniper)  <[email protected]>
       Ryan Linn   <[email protected]>
       Jacob Baines   <[email protected]>

CONTRIBUTORS
       Dhiru Kholia (kholia)  <[email protected]>
       Alexander Koeppe (koeppea)  <[email protected]>
       Martin Bos (PureHate)  <[email protected]>
       Enrique Sanchez
       Gisle Vanem  <[email protected]>
       Johannes Bauer  <[email protected]>
       Daten (Bryan Schneiders)  <[email protected]>

SEE ALSO
       ettercap(8)  etterfilter(8)  etter.conf(5)  ettercap_curses(8)   etter-
       cap_plugins(8) ettercap-pkexec(8)

ettercap 0.8.3.1                                                   ETTERLOG(8)

Updated on: 2024-Feb-16