Provided by: ettercap-common_0.7.4.2-1_amd64 bug


       etterlog - Log analyzer for ettercap log files


       etterlog [OPTIONS] FILE


       Etterlog  is  the  log  analyzer  for  logfiles  created  by  ettercap. It can handle both
       compressed (created with -Lc) or uncompressed logfiles. With this tool you can  manipulate
       binary  files  as you like and you can print data in different ways all the times you want
       (in contrast with the previous logging system which was used to dump in  a  single  static
       You will be able to dump traffic from only one connection of your choice, from only one or
       more hosts, print data in hex, ascii, binary etc...

       TIP: All useless messages are printed to stderr, so you can save the output from  etterlog
       with the following command:

       etterlog [options] logfile > outfile

              Thus you can dump for example a binary file from an ftp connection if you print the
              data in binary mode, without headers and selecting  only  the  ftp  server  as  the
              source of the communication.


       -a, --analyze
              Analyze a log file and display some interesting statistics.

       -c, --connections
              Parse  the  log  file and print a table of unique connections (port to port).  This
              option can be used only on LOG_PACKET logfiles. On LOG_INFO logfiles it is useless.

              TIP: you can search for a particular host by using the following command:

              etterlog -c logfile.ecp | grep

       -f, --filter <TARGET>
              Print only packets coming from or going to TARGET. The TARGET specification is  the
              same as in ettercap.
              TARGET  is  in  the  form  MAC/IPs/PORTs. Omitting one or more of its parts will be
              equivalent to set them to ANY.

              If the log type is LOG_INFO the target is used to display hosts matching  the  mac,
              ip  and having the specified port(s) open. For example the target //80 will display
              only information about hosts with a running web server.

       -r, --reverse
              Reverse the matching in the TARGET selection. It means  not(TARGET).  All  but  the
              selected TARGET.

       -t, --proto <PROTO>
              Sniff  only  PROTO  packets  (default is TCP + UDP).  This option is only useful in
              "simple" mode. If you start ettercap in interactive  mode  both  TCP  and  UDP  are
              PROTO can be "tcp", "udp" or "all" for both.

       -F, --filcon <CONNECTION>
              Print packets belonging only to this CONNECTION.
              CONNECTION  is  in  the  form  PROTO:SOURCE:DEST.  SOURCE  and DEST are in the form


              etterlog -F TCP:

       -s, --only-source
              Display only packets that are sent by the source of the selected CONNECTION.   This
              option makes sense only in conjunction with the -F option.

              TIP:  if  you want to save a file transferred in an HTTP or FTP connection, you can
              use the following command:

              etterlog -B -s -n -F TCP: logfile.ecp > example.tar.gz

       -d, --only-dest
              Same as --only-source but it filters on the destination host.

       -n, --no-headers
              Do not print the header of each packet. This option is useful if you want to save a
              file  in binary format (-B option). Without the headers you can redirect the output
              to a file and you will get the original stream.

              NOTE: the time stamp in the header is  in  the  form:  Thu  Mar  27  23:03:31  2003
              [169396], the value in the square brackets is expressed in microseconds

       -m, --show-mac
              In the headers show also the mac addresses corresponding to the ip addresses.

       -k, --color
              If  used  in  conjunction with -F it displays the source and dest of the connection
              using different colors. If used with a LOG_INFO file it prints LAN hosts in  green,
              REMOTE hosts in blue and GATEWAYS in red.

       -l, --only-local
              Used displaying an INFO file, it displays information only about local hosts.

       -L, --only-remote
              Used displaying an INFO file, it displays information only about remote hosts.


       -e, --regex <REGEX>
              Display only packets matching the regex <REGEX>.
              If  this  option  is used agains a LOG_PACKET logfile, the regex is executed on the
              payload of the packet. If the type is LOG_INFO, the regex is executed  on  all  the
              fields of the host profile (OS, banners, service and ethernet adapter).
              NOTE: the regex is compiled with the REG_ICASE flag (case insensitive).

       -u, --user <USER>
              Display information about this user. The search is performed over all the user/pass
              couples collected across all hosts.

       -p, --passwords
              Print only the collected account information for each host. This prevents the  huge
              profile  output.  It  can  be  used in conjunction with the -u option to filter the
              users. An asterisk '*' used in front  of  an  account  represents  a  failed  login

       -i, --show-client
              Show  the  client  ip address when displaying the collected users and passwords. It
              may be useful when ACLs are in place.

       -I, --client <IP>
              Show passwords only coming from a specific <IP>. This is useful  to  view  all  the
              usernames and passwords of a client.


       -C, --concat
              Use  this  option  to concatenate two (or more) files into one single file. This is
              useful if you have collected ettercap log files from multiple sources and  want  to
              have  an  unified  report. The output file must be specified with the -o option and
              the input files are listed as normal arguments.

              etterlog -C -o outfile input1 input2 input3

       -o, --outfile <FILE>
              specifies the output file for a concatenation.


       -B, --binary
              Print data as they are, in binary form. Useful to dump binary data to  a  file  (as
              described above).

       -X, --hex
              Print the packets in hex format.


              the string  "HTTP/1.1 304 Not Modified"  becomes:

              0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1 304 Not
              0010: 204d 6f64 6966 6965 64                    Modified

       -A, --ascii
              Print only "printable" characters, the others are displayed as dots '.'

       -T, --text
              Print only the "printable" characters and skip the others.

       -E, --ebcdic
              Convert an EBCDIC text to ASCII.

       -H, --html
              Strip all html tags from the text. A tag is every string between '<' and '>'.


              <title>This is the title</title>, but the following <string> will not be displayed.

              This is the title, but the following will not be displayed.

       -U, --utf8 <encoding>
              Print  the packets in UTF-8 format. The <encoding> parameter specifies the encoding
              to be used while performing the conversion.  Use  the  `iconv  --list`  command  to
              obtain a list of all supported encodings.

       -Z, --zero
              Print  always  the  void  string.  i.e. print only header information and no packet
              content will be printed.

       -x, --xml
              Print the host information in xml form, so you can parse  it  with  your  favourite

              The DTD associated with the xml output is in share/etterlog.dtd


       -v, --version
              Print the version and exit.

       -h, --help
              Print the help screen with a short summary of the available options.


       Here are some examples of using etterlog.

       etterlog -k -l dump.eci

              Displays information about local hosts in different colors.

       etterlog -X dump.ecp

              Prints packets in HEX mode with full headers.

       etterlog -c dump.ecp

              Displays the list of connections logged in the file.

       etterlog -Akn -F TCP: dump.ecp

              Displays  the  IRC  traffic  made  by  in  ASCII  mode,  without  headers
              information and in colored mode.

       etterlog -H -t tcp -f //80 dump.ecp

              Dumps all HTTP traffic and strips html tags.

       etterlog -Z -r -f / dump.ecp

              Displays only the headers of all connections except ssh on host

       etterlog -A -e 'user' -f //110 dump.ecp

              Displays only POP packets containing the 'user' regexp (case insensitive).

       etterlog -u root dump.eci

              Displays information about all the accounts of the user 'root'.

       etterlog -e Apache dump.eci

              Displays information about all the hosts running 'Apache'.

       etterlog -e Linux dump.eci

              Displays information about all the hosts with the 'Linux' operating system.

       etterlog -t tcp -f //110 dump.eci

              Displays information about all the hosts with the tcp port 110 open.

       etterlog -t udp dump.eci

              Displays information about all the hosts with at least one UDP port open.

       etterlog -B -s -n -F TCP: logfile.ecp > example.tar.gz

              Dumps in binary form the data sent by over the data port of FTP. Since the
              headers are omitted, you will get the file as it was.


       Alberto Ornaghi (ALoR) <>
       Marco Valleri (NaGA) <>


       ettercap(8) etterfilter(8) etter.conf(5) ettercap_curses(8) ettercap_plugins(8)