Provided by: ettercap-common_0.8.2-2build1_i386 bug


       ettercap  -  multipurpose  sniffer/content filter for man in the middle

***** IMPORTANT NOTE ******

       Since ettercap NG (formerly 0.7.0), all the options have been  changed.
       Even  the  target specification has been changed. Please read carefully
       this man page.


       ettercap [OPTIONS] [TARGET1] [TARGET2]

       If IPv6 is enabled:
       TARGET is in the form MAC/IPs/IPv6/PORTs
       TARGET is in the form MAC/IPs/PORTs
       where IPs and PORTs can be ranges (e.g. /,40,50/20,22,25)


       Ettercap was born as a sniffer for switched  LAN  (and  obviously  even
       "hubbed"  ones),  but during the development process it has gained more
       and more features that have changed it to a powerful and flexible  tool
       for   man-in-the-middle   attacks.   It  supports  active  and  passive
       dissection of many protocols (even ciphered  ones)  and  includes  many
       features for network and host analysis (such as OS fingerprint).

       It has two main sniffing options:

       UNIFIED, this method sniffs all the packets that pass on the cable. You
       can choose to put or not the interface in promisc mode (-p option). The
       packet  not  directed  to  the  host running ettercap will be forwarded
       automatically using layer 3 routing. So  you  can  use  a  mitm  attack
       launched  from a different tool and let ettercap modify the packets and
       forward them for you.
       The kernel ip_forwarding is always disabled by ettercap. This  is  done
       to  prevent  to  forward a packet twice (one by ettercap and one by the
       kernel).  This is an invasive behaviour on gateways.  So  we  recommend
       you  to  use  ettercap  on  the gateways ONLY with the UNOFFENSIVE MODE
       ENABLED.  Since  ettercap  listens  only  on  one  network   interface,
       launching it on the gateway in offensive mode will not allow packets to
       be rerouted back from the second interface.

       BRIDGED, it uses two network interfaces and forward  the  traffic  from
       one  to the other while performing sniffing and content filtering. This
       sniffing method is totally stealthy since there is no way to find  that
       someone  is in the middle on the cable.  You can look at this method as
       a mitm attack at layer 1. You will  be  in  the  middle  of  the  cable
       between  two  entities.  Don't  use it on gateways or it will transform
       your gateway into a bridge. HINT: you can  use  the  content  filtering
       engine  to  drop  packets  that should not pass. This way ettercap will
       work as an inline IPS ;)

       You can also perform man in the middle attacks while using the  unified
       sniffing.  You  can  choose  the  mitm attack that you prefer. The mitm
       attack module is independent from the sniffing and  filtering  process,
       so you can launch several attacks at the same time or use your own tool
       for the attack. The crucial point is that the packets have to arrive to
       ettercap  with the correct mac address and a different ip address (only
       these packets will be forwarded).

       The most relevant ettercap features are:

       SSH1 support : you can sniff User and Pass, and even  the  data  of  an
       SSH1 connection. ettercap is the first software capable to sniff an SSH
       connection in FULL-DUPLEX

       SSL support : you can sniff SSL secured data... a fake  certificate  is
       presented to the client and the session is decrypted.

       Characters  injection  in  an  established  connection : you can inject
       characters  to  the  server  (emulating  commands)  or  to  the  client
       (emulating replies) maintaining the connection alive !!

       Packet filtering/dropping: You can set up a filter script that searches
       for a particular string (even hex)  in  the  TCP  or  UDP  payload  and
       replace  it  with yours or drop the entire packet. The filtering engine
       can match any field of the network protocols and  modify  whatever  you
       want (see etterfilter(8)).

       Remote  traffic  sniffing  through  tunnels and route mangling: You can
       play with linux cooked interfaces or use the integrated plugin to sniff
       tunneled  or  route-mangled remote connections and perform mitm attacks
       on them.

       Plug-ins support : You can create your own plugin using the  ettercap's

       Password  collector  for  :  TELNET,  FTP, POP, RLOGIN, SSH1, ICQ, SMB,
       LDAP,  NFS, SNMP, HALF LIFE, QUAKE 3, MSN, YMSG (other protocols coming

       Passive OS fingerprint: you scan passively the lan (without sending any
       packet)  and gather detailed info about the hosts in the LAN: Operating
       System, running services, open  ports,  IP,  mac  address  and  network
       adapter vendor.

       Kill  a  connection:  from  the  connections  list you can kill all the
       connections you want


       There is no concept of SOURCE nor DEST. The two targets are intended to
       filter  traffic  coming from one to the other and vice-versa (since the
       connection is bidirectional).

       TARGET is in the form MAC/IPs/PORTs.
       NOTE: If IPv6 is enabled, TARGET is in the form MAC/IPs/IPv6/PORTs.

       If you want you can omit any of its parts and this  will  represent  an
       ANY in that part.
       "//80" means ANY mac address, ANY ip and ONLY port 80
       "/" means ANY mac address, ONLY ip and ANY port

       MAC must be unique and in the form 00:11:22:33:44:55

       IPs is a range of IP in dotted notation. You can specify range with the
       - (hyphen) and single ip with , (comma). You can also use ; (semicolon)
       to indicate different ip addresses.
       ";"  expands  into  ip,  2,  3,  4,  5 and

       PORTs is a range of PORTS. You can specify range with  the  -  (hyphen)
       and single port with , (comma).
       "20-25,80,110" expands into ports 20, 21, 22, 23, 24, 25, 80 and 110

       you  can  reverse the matching of the TARGET by adding the -R option to
       the command line. So if you want to sniff ALL the traffic BUT  the  one
       coming or going to you can specify "./ettercap -R /"

       TARGETs  are  also  responsible of the initial scan of the lan. You can
       use them to restrict the scan to only a subset  of  the  hosts  in  the
       netmask.  The  result  of  the  merging between the two targets will be
       scanned. remember that not specifying a target means "no  target",  but
       specifying "//" means "all the hosts in the subnet".


       ettercap  needs  root  privileges to open the Link Layer sockets. After
       the initialization phase, the root privs are  not  needed  anymore,  so
       ettercap  drops  them  to  UID  = 65535 (nobody). Since ettercap has to
       write (create) log files, it must be executed in a directory  with  the
       right  permissions  (e.g.  /tmp/).  If  you  want  to  drop  privs to a
       different uid, you can export the environment variable EC_UID with  the
       value  of  the  uid  you  want  to  drop  the  privs  to  (e.g.  export
       EC_UID=500) or set the correct parameter in the etter.conf file.


       While performing the SSL mitm attack, ettercap substitutes the real ssl
       certificate  with  its  own. The fake certificate is created on the fly
       and all the fields are filled according to the real cert  presented  by
       the server. Only the issuer is modified and signed with the private key
       contained in the 'etter.ssl.crt' file. If you want to use  a  different
       private  key  you  have to regenerate this file. To regenerate the cert
       file use the following commands:

       openssl genrsa -out etter.ssl.crt 1024
       openssl req -new -key etter.ssl.crt -out tmp.csr
       openssl x509 -req -days 1825 -in tmp.csr  -signkey  etter.ssl.crt  -out
       cat >> etter.ssl.crt
       rm -f tmp.csr

       NOTE: SSL mitm is not available (for now) in bridged mode.

       NOTE:  You  can use the --certificate/--private-key long options if you
       want to specify a different file rather than the etter.ssl.crt file.


       Options that make sense together can generally  be  combined.  ettercap
       will warn the user about unsupported option combinations.


       ettercap  NG  has  a  new  unified  sniffing  method. This implies that
       ip_forwarding in the kernel is always disabled and  the  forwarding  is
       done  by  ettercap.  Every packet with destination mac address equal to
       the host's mac address and destination ip address different for the one
       bound  to  the  iface  will be forwarded by ettercap. Before forwarding
       them, ettercap can content filter, sniff, log or drop them. It does not
       matter  how these packets are hijacked, ettercap will process them. You
       can even use external programs to hijack packet.
       You have full control of what ettercap should receive. You can use  the
       internal  mitm  attacks, set the interface in promisc mode, use plugins
       or use every method you want.

       IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable
       the  ip_forwarding after you have killed ettercap. Since ettercap drops
       its privileges, it cannot restore the ip_forwarding for you.

       -M, --mitm <METHOD:ARGS>
              MITM attack
              This option will activate the man in the middle attack. The mimt
              attack  is totally independent from the sniffing. The aim of the
              attack is to hijack packets and redirect them to  ettercap.  The
              sniffing engine will forward them if necessary.
              You  can choose the mitm attack that you prefer and also combine
              some of them to perform different attacks at the same time.
              If a mitm method requires some parameters you can  specify  them
              after the colon.  (e.g.  -M dhcp:ip_pool,netmask,etc )

              The following mitm attacks are available:

              arp ([remote],[oneway])
                     This method implements the ARP poisoning mitm attack. ARP
                     requests/replies are sent to the victims to poison  their
                     ARP  cache.  Once the cache has been poisoned the victims
                     will send all packets to the attacker which, in turn, can
                     modify and forward them to the real destination.

                     In  silent  mode  (-z  option)  only  the first target is
                     selected, if you want to poison multiple target in silent
                     mode use the -j option to load a list from a file.

                     You can select empty targets and they will be expanded as
                     'ANY' (all the hosts in the  LAN).  The  target  list  is
                     joined  with the hosts list (created by the arp scan) and
                     the result is  used  to  determine  the  victims  of  the

                     The  parameter  "remote"  is  optional  and  you  have to
                     specify it  if  you  want  to  sniff  remote  ip  address
                     poisoning  a  gateway. Indeed if you specify a victim and
                     the  gw  in  the  TARGETS,  ettercap  will   sniff   only
                     connection  between them, but to enable ettercap to sniff
                     connections that pass thru the gw, you have to  use  this

                     The parameter "oneway" will force ettercap to poison only
                     from TARGET1 to TARGET2. Useful if  you  want  to  poison
                     only  the client and not the router (where an arp watcher
                     can be in place).


                     the targets are: / /
                     and  the  host  list  is:

                     the associations between the victims will be:
                     1 and 16, 1 and 18, 3 and 16, 3 and 18

                     if  the  targets overlap each other, the association with
                     identical ip address will be skipped.

                     NOTE: if you manage to poison a client, you have  to  set
                     correct routing table in the kernel specifying the GW. If
                     your routing table is  incorrect,  the  poisoned  clients
                     will not be able to navigate the Internet.

              icmp (MAC/IP)
                     This  attack  implements  ICMP  redirection.  It  sends a
                     spoofed icmp redirect message to the  hosts  in  the  lan
                     pretending  to  be  a  better  route  for  internet.  All
                     connections  to  internet  will  be  redirected  to   the
                     attacker  which,  in  turn, will forward them to the real
                     gateway. The resulting attack is a HALF-DUPLEX mitm. Only
                     the  client  is  redirected,  since  the gateway will not
                     accept  redirect  messages  for  a   directly   connected
                     network.  BE  SURE  TO  NOT  USE  FILTERS THAT MODIFY THE
                     PAYLOAD LENGTH. you can use a filter to  modify  packets,
                     but  the  length must be the same since the tcp sequences
                     cannot be updated in both ways.
                     You have to pass as argument the MAC and the  IP  address
                     of the real gateway for the lan.
                     Obviously  you  have to be able to sniff all the traffic.
                     If you are on a switch you have to use a  different  mitm
                     attack such as arp poisoning.

                     NOTE:  to  restrict  the  redirection  to a given target,
                     specify it as a TARGET


                     -M icmp:00:11:22:33:44:55/

                     will redirect all the connections  that  pass  thru  that

              dhcp (ip_pool/netmask/dns)
                     This attack implements DHCP spoofing. It pretends to be a
                     DHCP server and tries to win the race condition with  the
                     real  one  to  force  the client to accept the attacker's
                     reply. This way ettercap is able  to  manipulate  the  GW
                     parameter  and  hijack all the outgoing traffic generated
                     by the clients.
                     The resulting attack is a HALF-DUPLEX mitm. So be sure to
                     use appropriate filters (see above in the ICMP section).

                     You  have to pass the ip pool to be used, the netmask and
                     the ip of the dns server.  Since ettercap  tries  to  win
                     the  race  with the real server, it DOES NOT CHECK if the
                     ip is already assigned. You have to specify an ip pool of
                     FREE  addresses to be used. The ip pool has the same form
                     of the target specification.

                     If the client sends a  dhcp  request  (suggesting  an  ip
                     address) ettercap will ack on that ip and modify only the
                     gw option. If the client makes a dhcp discovery, ettercap
                     will use the first unused ip address of the list you have
                     specified on command line. Every discovery consumes an ip
                     address.  When  the list is over, ettercap stops offering
                     new ip addresses and will reply only to dhcp requests.
                     If you don't want to  offer  any  ip  address,  but  only
                     change  the  router  information of dhcp request/ack, you
                     can specify an empty ip_pool.

                     BIG WARNING: if you specify a list of ip that are in use,
                     you  will  mess your network! In general, use this attack
                     carefully. It can really mess things up!  When  you  stop
                     the  attack, all the victims will be still convinced that
                     ettercap is the gateway until the lease expires...


                     -M dhcp:,35,50-60/
                     reply to DHCP offer and request.

                     -M dhcp:/
                     reply only to DHCP request.

              port ([remote],[tree])
                     This attack implements Port Stealing. This  technique  is
                     useful  to  sniff  in  a  switched  environment  when ARP
                     poisoning is not  effective  (for  example  where  static
                     mapped ARPs are used).

                     It  floods  the  LAN (based on port_steal_delay option in
                     etter.conf) with ARP packets. If you  don't  specify  the
                     "tree"  option,  the  destination  MAC  address  of  each
                     "stealing" packet is  the  same  as  the  attacker's  one
                     (other  NICs  won't  see  these  packets), the source MAC
                     address will be one of the MACs in the  host  list.  This
                     process  "steals"  the switch port of each victim host in
                     the host list.  Using low  delays,  packets  destined  to
                     "stolen"  MAC addresses will be received by the attacker,
                     winning the race condition  with  the  real  port  owner.
                     When the attacker receives packets for "stolen" hosts, it
                     stops the flooding process and performs  an  ARP  request
                     for the real destination of the packet.  When it receives
                     the ARP reply it's sure that the victim has "taken  back"
                     his  port,  so  ettercap  can  re-send  the packet to the
                     destination as is.  Now  we  can  re-start  the  flooding
                     process waiting for new packets.

                     If you use the "tree" option, the destination MAC address
                     of each stealing packet will be a  bogus  one,  so  these
                     packets  will  be  propagated to other switches (not only
                     the directly connected one). This way you will be able to
                     steal  ports  on other switches in the tree (if any), but
                     you will generate a huge amount of traffic (according  to
                     port_steal_delay).   The  "remote"  option  has  the same
                     meaning as in "arp" mitm method.

                     When you stop the  attack,  ettercap  will  send  an  ARP
                     request  to  each  stolen  host  giving back their switch
                     You can perform either HALF or FULL DUPLEX mitm according
                     to target selection.

                     NOTE: Use this mitm method only on ethernet switches. Use
                     it carefully,  it  could  produce  performances  loss  or
                     general havoc.

                     NOTE:  You  can NOT use this method in only-mitm mode (-o
                     flag), because it hooks  the  sniffing  engine,  and  you
                     can't use interactive data injection.

                     NOTE: It could be dangerous to use it in conjunction with
                     other mitm methods.

                     NOTE: This  mitm  method  doesn't  work  on  Solaris  and
                     Windows  because  of the lipcap and libnet design and the
                     lack of certain ioctl().  (We will feature this method on
                     these OSes if someone will request it...)


                     The targets are: / /
                     You will intercept and visualize traffic between
                     and, but you will receive all the  traffic  for
            and too.

                     The target is: /
                     You  will  intercept  and  visualize  all the traffic for

              ndp ([remote],[oneway])
                     NOTE: This MITM method is only supported if IPv6  support
                     has been enabled.

                     This  method implements the NDP poisoning attack which is
                     used for MITM of IPv6  connections.  ND  requests/replies
                     are  sent  to the victims to poison their neighbor cache.
                     Once the cache has been poisoned the  victims  will  send
                     all  IPv6  packets  to  the  attacker which, in turn, can
                     modify and forward them to the real destination.

                     In silent mode (-z  option)  only  the  first  target  is
                     selected, if you want to poison multiple target in silent
                     mode use the -j option to load a list from a file.

                     You can select empty targets and they will be expanded as
                     'ANY'  (all  the  hosts  in  the LAN). The target list is
                     joined with the hosts list (created by the arp scan)  and
                     the  result  is  used  to  determine  the  victims of the

                     The parameter  "remote"  is  optional  and  you  have  to
                     specify  it  if  you  want  to  sniff  remote  ip address
                     poisoning a gateway. Indeed if you specify a  victim  and
                     the   gw   in  the  TARGETS,  ettercap  will  sniff  only
                     connection between them, but to enable ettercap to  sniff
                     connections  that  pass thru the gw, you have to use this

                     The parameter "oneway" will force ettercap to poison only
                     from  TARGET1  to  TARGET2.  Useful if you want to poison
                     only the client and not the router (where an arp  watcher
                     can be in place).


                     Targets         are:         //fe80::260d:afff:fe6e:f378/
                     Ranges of IPv6 addresses are not yet supported.

                     NOTE: if you manage to poison a client, you have  to  set
                     correct routing table in the kernel specifying the GW. If
                     your routing table is  incorrect,  the  poisoned  clients
                     will not be able to navigate the Internet.

                     NOTE:  in  IPv6  usually  the  link-local  address of the
                     router is being used as the gateway address. Therefor you
                     need  to  set the link-local address of the router as one
                     target and the global-unicast address of  the  victim  as
                     the  other  in  order  to  set up a successfull IPv6 MITM
                     attack using NDP poisoning.

       -o, --only-mitm
              This options disables the sniffing thread and enables  only  the
              mitm attack.  Useful if you want to use ettercap to perform mitm
              attacks and another sniffer (such as  wireshark)  to  sniff  the
              traffic.  Keep  in  mind  that  the packets are not forwarded by
              ettercap. The kernel will be  responsible  for  the  forwarding.
              Remember to activate the "ip forwarding" feature in your kernel.

       -f, --pcapfilter <FILTER>
              Set  a  capturing  filter in the pcap library. The format is the
              same as tcpdump(1). Remember that this kind of filter  will  not
              sniff  packets out of the wire, so if you want to perform a mitm
              attack, ettercap will not be able to forward hijacked packets.
              These filters are useful to decrease  the  network  load  impact
              into ettercap decoding module.

       -B, --bridge <IFACE>
              BRIDGED sniffing
              You  need two network interfaces. ettercap will forward form one
              to the other all the traffic it sees. It is useful  for  man  in
              the  middle  at the physical layer. It is totally stealthy since
              it is passive and there is  no  way  for  an  user  to  see  the
              You can content filter all the traffic as you were a transparent
              proxy for the "cable".


       -r, --read <FILE>
              OFF LINE sniffing
              With this option enabled, ettercap will  sniff  packets  from  a
              pcap compatible file instead of capturing from the wire.
              This  is  useful  if  you  have  a  file  dumped from tcpdump or
              wireshark and you want to make an analysis (search for passwords
              or passive fingerprint) on it.
              Obviously  you  cannot  use  "active" sniffing (arp poisoning or
              bridging) while sniffing from a file.

       -w, --write <FILE>
              WRITE packet to a pcap file
              This is useful if you have to use "active" sniffing (arp poison)
              on  a  switched  LAN  but  you  want to analyze the packets with
              tcpdump or wireshark. You  can  use  this  option  to  dump  the
              packets  to  a  file  and  then  load  it  into  your  favourite

              NOTE: dump file collect ALL the packets disregarding the TARGET.
              This  is  done  because  you  may want to log even protocols not
              supported by ettercap, so you can analyze them with other tools.

              TIP: you can use the -w option in conjunction with the  -r  one.
              This  way  you  will be able to filter the payload of the dumped
              packets or decrypt WEP-encrypted WiFi traffic and dump  them  to
              another file.


       -T, --text
              The text only interface, only printf ;)
              It  is  quite interactive, press 'h' in every moment to get help
              on what you can do.

       -q, --quiet
              Quiet mode. It can be used only in conjunction with the  console
              interface. It does not print packet content. It is useful if you
              want to convert pcap file to ettercap log files.


              ettercap -Tq -L dumpfile -r pcapfile

       -s, --script <COMMANDS>
              With this option you can feed ettercap with command as they were
              typed on the keyboard by the user. This way you can use ettercap
              within your favourite scripts. There is a  special  command  you
              can issue thru this command: s(x). this command will sleep for x


              ettercap -T -s 'lq'  will print the list of the hosts and exit
              ettercap -T -s  's(300)olqq'   will  collect  the  infos  for  5
              minutes, print the list of the local profiles and exit

       -C, --curses
              Ncurses   based   GUI.   See   ettercap_curses(8)   for  a  full

       -G, --gtk
              The nice GTK2 interface (thanks Daten...).

       -D, --daemonize
              Daemonize ettercap. This option will detach  ettercap  from  the
              current  controlling  terminal  and  set it as a daemon. You can
              combine this feature with  the  "log"  option  to  log  all  the
              traffic  in  the background. If the daemon fails for any reason,
              it will create the file "./ettercap_daemonized.log" in which the
              error  caught  by ettercap will be reported. Furthermore, if you
              want to have a complete debug of the  daemon  process,  you  are
              encouraged to recompile ettercap in debug mode.


       -b, --broadcast
              Tells Ettercap to process packets coming from Broadcast address.

       -i, --iface <IFACE>
              Use  this  <IFACE> instead of the default one. The interface can
              be unconfigured (requires libnet >= 1.1.2), but in this case you
              cannot use MITM attacks and you should set the unoffensive flag.

       -I, --iflist
              This  option  will  print  the  list  of  all  available network
              interfaces that can be  used  within  ettercap.  The  option  is
              particularly   useful  under  windows  where  the  name  of  the
              interface is not so obvious as under *nix.

       -Y, --secondary <interface list>
              Specify a list of (or single) secondary  interfaces  to  capture
              packets from.

       -A, --address <ADDRESS>
              Use  this  <ADDRESS>  instead  of  the  one autodetected for the
              current iface. This option is useful if you  have  an  interface
              with multiple ip addresses.

       -n, --netmask <NETMASK>
              Use  this  <NETMASK>  instead  of  the  one  associated with the
              current iface. This option is useful if you have the NIC with an
              associated netmask of class B and you want to scan (with the arp
              scan) only a class C.

       -R, --reversed
              Reverse  the  matching  in  the  TARGET  selection.   It   means
              not(TARGET). All but the selected TARGET.

       -t, --proto <PROTO>
              Sniff only PROTO packets (default is TCP + UDP).
              This  is  useful  if  you  want  to select a port via the TARGET
              specification but you want to differentiate between tcp or udp.
              PROTO can be "tcp", "udp" or "all" for both.

       -6, --ip6scan
              Send ICMPv6 probes to discover active IPv6 nodes  on  the  link.
              This  options  sends  a ping request to the all-nodes address to
              motivate active IPv6 hosts to respond. You should not  use  this
              option  if  you  try  to hide yourself. Therefore this option is

              NOTE: This option is only available if  IPv6  support  has  been

       -z, --silent
              Do not perform the initial ARP scan of the LAN.

              NOTE:  you  will  not  have the hosts list, so you can't use the
              multipoison feature.  you can only select two hosts for  an  ARP
              poisoning attack, specifying them through the TARGETs

       -p, --nopromisc
              Usually,  ettercap  will  put  the  interface in promisc mode to
              sniff all the traffic on the wire. If you  want  to  sniff  only
              your connections, use this flag to NOT enable the promisc mode.

       -S, --nosslmitm
              Usually,  ettercap forges SSL certificates in order to intercept
              https traffic.  This option disables that behavior.

       -u, --unoffensive
              Every time ettercap starts, it disables  ip  forwarding  in  the
              kernel and begins to forward packets itself. This option prevent
              to do that, so the responsibility of ip forwarding  is  left  to
              the kernel.
              This  options  is  useful  if  you want to run multiple ettercap
              instances. You will have one instance (the one  without  the  -u
              option)  forwarding  the  packets,  and  all the other instances
              doing their work without forwarding them. Otherwise you will get
              packet duplicates.
              It  also disables the internal creation of the sessions for each
              connection. It increases performances, but you will not be  able
              to modify packets on the fly.
              If  you  want  to  use  a mitm attack you have to use a separate
              You have to use this option if  the  interface  is  unconfigured
              (without an ip address.)
              This  is also useful if you want to run ettercap on the gateway.
              It  will  not  disable  the  forwarding  and  the  gateway  will
              correctly route the packets.

       -j, --load-hosts <FILENAME>
              It  can  be used to load a hosts list from a file created by the
              -k option. (see below)

       -k, --save-hosts <FILENAME>
              Saves the hosts list to a file. Useful when you have many  hosts
              and  you  don't  want to do an ARP storm at startup any time you
              use ettercap. Simply use this options and dump  the  list  to  a
              file, then to load the information from it use the -j <filename>

       -P, --plugin <PLUGIN>
              Run the selected PLUGIN. Many plugins need target specification,
              use  TARGET as always. Use multiple occurances of this parameter
              to select multiple plugins.
              In console mode (-C option), standalone plugins are executed and
              then  the  application exits. Hook plugins are activated and the
              normal sniffing is performed.
              To have a list of the  available  external  plugins  use  "list"
              (without quotes) as plugin name (e.g. ./ettercap -P list).

              NOTE: you can also activate plugins directly from the interfaces
              (always press "h" to get the inline help)

              More detailed info about plugins and about how to write your own
              are found in the man page ettercap_plugin(8)

       -F, --filter <FILE>
              Load  the  filter  from  the  file  <FILE>.  The  filter must be
              compiled with  etterfilter(8).  The  utility  will  compile  the
              filter  script  and  produce an ettercap-compliant binary filter
              file. Read the etterfilter(8) man page for the list of functions
              you  can  use inside a filter script.  Any number of filters can
              be loaded by specifying the option multiple times;  packets  are
              passed through each filter in the order specified on the command
              line.  You can  also  load  a  script  without  enabling  it  by
              appending :0 to the filename.
              NOTE:   these   filters   are  different  from  those  set  with
              --pcapfilter. An ettercap filter is a  content  filter  and  can
              modify the payload of a packet before forwarding it. Pcap filter
              are used to capture only certain packets.
              NOTE: you can use filters on pcapfile to modify them and save to
              another file, but in this case you have to pay attention on what
              you are doing, since ettercap will  not  recalculate  checksums,
              nor  split packets exceeding the mtu (snaplen) nor anything like

       -W, --wifi-key <KEY>
              You can specify a key to decrypt WiFi packets (WEP or WPA). Only
              the  packets  decrypted  successfully  will  be  passed  to  the
              decoders stack, the others will be skipped with a message.
              The parameter  has  the  following  syntax:  type:bits:t:string.
              Where  'type' can be: wep, wpa-pws or wpa-psk, 'bits' is the bit
              length of the key (64, 128 or 256),  't'  is  the  type  of  the
              string  ('s' for string and 'p' for passphrase). 'string' can be
              a string or an escaped hex sequences.

              --wifi-key wep:128:p:secret
              --wifi-key wep:128:s:ettercapwep0
              --wifi-key 'wep:64:s:\x01\x02\x03\x04\x05'
              --wifi-key wpa:pwd:ettercapwpa:ssid
              --wifi-key wpa:psk:

       -a, --config <CONFIG>
              Loads an alternative config  file  instead  of  the  default  in
              /etc/etter.conf.   This is useful if you have many preconfigured
              files for different situations.

       --certificate <FILE>
              Tells Ettercap to use the specified certificate file for the SSL
              MiTM attack.

       --private-key <FILE>
              Tells Ettercap to use the specified private key file for the SSL
              MiTM attack.


       -e, --regex <REGEX>
              Handle only packets that match the regex.
              This option is useful in  conjunction  with  -L.  It  logs  only
              packets that match the posix regex REGEX.
              It  impacts even the visualization of the sniffed packets. If it
              is set only packets matching the regex will be displayed.

       -V, --visual <FORMAT>
              Use this option to set the visualization method for the  packets
              to be displayed.

              FORMAT may be one of the following:

              hex    Print the packets in hex format.


                     the string  "HTTP/1.1 304 Not Modified"  becomes:

                     0000:  4854  5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1
                     304 Not
                     0010: 204d 6f64 6966 6965 64                    Modified

              ascii  Print  only  "printable"  characters,  the   others   are
                     displayed as dots '.'

              text   Print  only  the  "printable"  characters  and  skip  the

              ebcdic Convert an EBCDIC text to ASCII.

              html   Strip all the html tags from the text.  A  tag  is  every
                     string between < and >.


                     <title>This  is  the  title</title>,  but  the  following
                     <string> will not be displayed.

                     This  is  the  title,  but  the  following  will  not  be

              utf8   Print  the  packets  in  UTF-8  format. The encoding used
                     while  performing  the  conversion  is  declared  in  the
                     etter.conf(5) file.

       -d, --dns
              Resolve ip addresses into hostnames.

              NOTE:  this  may  seriously  slow  down  ettercap  while logging
              passive information.  Every time a new host is found, a query to
              the  dns  is  performed.  Ettercap  keeps  a  cache  for already
              resolved host to increase the speed, but new hosts  need  a  new
              query  and  the dns may take up to 2 or 3 seconds to respond for
              an unknown host.

              HINT: ettercap  collects  the  dns  replies  it  sniffs  in  the
              resolution  table,  so  even  if  you specify to not resolve the
              hostnames, some of them will be resolved because the  reply  was
              previously  sniffed.  think about it as a passive dns resolution
              for free... ;)

       -E, --ext-headers
              Print extended headers for every  displayed  packet.  (e.g.  mac

       -Q, --superquiet
              Super  quiet  mode. Do not print users and passwords as they are
              collected. Only store them in the profiles. It can be useful  to
              run  ettercap in text only mode but you don't want to be flooded
              with dissectors messages. Useful when using plugins because  the
              sniffing  process  is  always  active,  it  will  print  all the
              collected  infos,  with  this  option  you  can  suppress  these
              NOTE: this options automatically sets the -q option.


              ettercap -TzQP finger /


       -L, --log <LOGFILE>
              Log  all  the packets to binary files. These files can be parsed
              by etterlog(8) to extract human readable data. With this option,
              all  packets  sniffed  by ettercap will be logged, together with
              all the passive info (host info + user & pass) it  can  collect.
              Given  a LOGFILE, ettercap will create LOGFILE.ecp (for packets)
              and LOGFILE.eci (for the infos).

              NOTE: if you specify this option on command line you don't  have
              to  take  care of privileges since the log file is opened in the
              startup phase (with high privs).  But  if  you  enable  the  log
              option  while  ettercap  is already started, you have to be in a
              directory where uid = 65535 or uid = EC_UID can write.

              NOTE: the logfiles can be compressed with the deflate  algorithm
              using the -c option.

       -l, --log-info <LOGFILE>
              Very  similar to -L but it logs only passive information + users
              and passwords for each host. The file will be named LOGFILE.eci

       -m, --log-msg <LOGFILE>
              It  stores  in  <LOGFILE>  all  the  user  messages  printed  by
              ettercap.  This  can  be  useful  when you are using ettercap in
              daemon mode or if you want  to  track  down  all  the  messages.
              Indeed,  some dissectors print messages but their information is
              not stored anywhere, so this is the only way to  keep  track  of

       -c, --compress
              Compress the logfile with the gzip algorithm while it is dumped.
              etterlog(8)  is  capable  of  handling   both   compressed   and
              uncompressed log files.

       -o, --only-local
              Stores profiles information belonging only to the LAN hosts.

              NOTE:  this  option  is  effective  only  against  the  profiles
              collected in memory.  While logging to a file ALL the hosts  are
              logged.  If  you want to split them, use the related etterlog(8)

       -O, --only-remote
              Stores profiles information belonging only to remote hosts.


       -v, --version
              Print the version and exit.

       -h, --help
              prints the help screen with a short  summary  of  the  available


       Here are some examples of using ettercap.

       ettercap -Tp

              Use  the  console  interface  and  do  not  put the interface in
              promisc mode. You will see only your traffic.

       ettercap -Tzq

              Use the console interface, do not ARP scan the net and be quiet.
              The   packet  content  will  not  be  displayed,  but  user  and
              passwords, as well as other messages, will be displayed.

       ettercap -T -j /tmp/victims -M arp / /

              Will load the hosts list from /tmp/victims and  perform  an  ARP
              poisoning attack against the two target. The list will be joined
              with  the  target  and  the  resulting  list  is  used  for  ARP

       ettercap -T -M arp // //

              Perform  the  ARP  poisoning attack against all the hosts in the
              LAN. BE CAREFUL !!

       ettercap -T -M arp:remote / /

              Perform the ARP poisoning against the gateway and  the  host  in
              the  lan  between  2 and 10. The 'remote' option is needed to be
              able to sniff the remote traffic  the  hosts  make  through  the

       ettercap -Tzq //110

              Sniff only the pop3 protocol from every hosts.

       ettercap -Tzq /,22,23

              Sniff telnet, ftp and ssh connections to

       ettercap -P list

              Prints the list of all available plugins



              Stores  persistent  information (e.g., window placement) between


       Alberto Ornaghi (ALoR) <>
       Marco Valleri (NaGA) <>


       Emilio Escobar (exfil)  <>
       Eric Milam (Brav0Hax)  <>


       Mike Ryan (justfalter)  <>
       Gianfranco Costamagna (LocutusOfBorg)  <>
       Antonio Collarino (sniper)  <>
       Ryan Linn   <>
       Jacob Baines   <>


       Dhiru Kholia (kholia)  <>
       Alexander Koeppe (koeppea)  <>
       Martin Bos (PureHate)  <>
       Enrique Sanchez
       Gisle Vanem  <>
       Johannes Bauer  <>
       Daten (Bryan Schneiders)  <>


       etter.conf(5)   ettercap_curses(8)   ettercap_plugins(8)    etterlog(8)
       etterfilter(8) ettercap-pkexec(8)



       git clone git://
       git clone


       Our software never has bugs.
       It just develops random features.   ;)


       -  ettercap doesn't handle fragmented packets... only the first segment
       will be displayed  by  the  sniffer.  However  all  the  fragments  are
       correctly forwarded.

       +    please    send    bug-report,    patches    or    suggestions   to
       <>          or          visit

       + to report a bug, follow the instructions in the README.BUGS file


       "Even  if  blessed  with  a  feeble  intelligence,  they  are cruel and
       smart..."  this is the description of Ettercap, a monster  of  the  RPG
       Advanced Dungeons & Dragon.

       The  name  "ettercap"  was  chosen  because  it  has  an assonance with
       "ethercap" which means "ethernet capture" (what ettercap actually does)
       and  also because such monsters have a powerful poison... and you know,
       arp poisoning... ;)

The Lord Of The (Token)Ring

       (the fellowship of the packet)

       "One Ring to link them all, One Ring to ping them,
        one Ring to bring them all and in the darkness sniff them."

Last words

       "Programming today is a race between  software  engineers  striving  to
       build  bigger  and better idiot-proof programs, and the Universe trying
       to produce bigger and better idiots. So far, the Universe is  winning."
       - Rich Cook