bionic (5) etter.conf.5.gz

Provided by: ettercap-common_0.8.2-10build4_amd64 bug

NAME

       etter.conf - Ettercap configuration file

DESCRIPTION

       etter.conf  is  the configuration file that determines ettercap behaviour. It is always loaded at startup
       and it configures some attributes used at runtime.

       The file contains entries of the form:

              [section]
              entry = value
              ...

       Each entry defines a variable that can be customized. Every value MUST be an integer. Sections  are  used
       only to group together some variables.

       NOTE:  if  you  omit a variable in the conf file, it will be initialized with the value 0. It is strongly
       discouraged to not initialize critical variables such as "arp_poison_delay" or "connection_timeout".

       The following is a list of available variables:

       [privs]

       ec_uid              This variable specifies the UID to which privileges are dropped at startup. After the
                           socket  at  link  layer  has been opened the privileges are dropped to a specific uid
                           different from root for security reasons. etter.conf is the only file  that  is  read
                           with  root privs. Be sure that the specified uid has enough privs to read other files
                           (etter.*)  You can bypass this variable by setting the environment variable EC_UID.

       [mitm]

       arp_storm_delay     The value represents the milliseconds to wait between two consecutive packets  during
                           the  initial ARP scan. You can increment this value to be less aggressive at startup.
                           The randomized scan plus a high delay can fool some types of ARP scan detectors.

       arp_poison_smart    With this variable set, only 3 inital poisoned ARP messages are sent to the  victims.
                           This  poisoned  status  is  kept  up by ettercap with responding to ARP requests from
                           victims that want to refresh their ARP cache.  This  makes  the  ARP  poisoning  very
                           stealthy but may be unreliable on shared media such as WiFi.

       arp_poison_warm_up  When  the  poisoning  process  starts,  the inter-packet delay is low for the first 5
                           poisons (to be sure the poisoning process has been successful).  After  the  first  5
                           poisons,  the delay is incremented (to keep up the poisoning). This variable controls
                           the delay for the first 5 poisons. The value is in seconds.
                           The same delay is used when the victims are restored  to  the  original  associations
                           (RE-ARPing) when ettercap is closed.

       arp_poison_delay    This  variable  controls  the poisoning delay after the first 5 poisons. The value is
                           expressed in seconds. You can increase this value (to try to fool the IDS) up to  the
                           timeout of the ARP cache (which depends on the poisoned operating system).

       arp_poison_icmp     Enable  the  sending  of  a  spoofed ICMP message to force the targets to make an arp
                           request. This will create an arp entry in the host cache, so ettercap will be able to
                           win  the  race  condition  and  poison the target. Useful against targets that do not
                           accept gratuitous arp if the entry is not in the cache.

       arp_poison_reply    Use ARP replies to poison the targets. This is the classic attack.

       arp_poison_request  Use ARP request to poison the targets. Useful against targets  that  cache  even  arp
                           request values.

       arp_poison_equal_mac
                           Set this option to 0 if you want to skip the poisoning of two hosts with the same mac
                           address. This may happen if a NIC has one or more aliases on the same network.

       dhcp_lease_time     This is the lease time (in seconds) for a dhcp assignment. You can lower  this  value
                           to  permit  the  victims  to receive a correct dhcp reply after you have stopped your
                           attack. Using higher timeouts can seriously mess up your network after the attack has
                           finished. On the other hand some clients will prefer a higher lease time, so you have
                           to increase it to win the race condition against the real server.

       port_steal_delay    This is the delay time (in milliseconds) between stealing packets for the "port" mitm
                           method.  With  low  delays  you  will be able to intercept more packets, but you will
                           generate more traffic. You have to tune this value in order to find  a  good  balance
                           between  the  number of intercepted packets, re-transmitted packets and lost packets.
                           This value depends on  full/half  duplex  channels,  network  drivers  and  adapters,
                           network general configuration and hardware.

       port_steal_send_delay
                           This  is the delay time (in microseconds) between packets when the "port" mitm method
                           has to re-send packets queues. As said for port_steal_delay you  have  to  tune  this
                           option to the lowest acceptable value.

       ndp_poison_warm_up  This  option  operates  similar to the arp_poison_warm_up option.  When the poisoning
                           process starts, this option controls the NDP poison delay for the first 5 poisons (to
                           be  sure  the poisoning process has been successful).  After the first 5 poisons, the
                           delay is incremented (to keep up the poisoning).  This variable  controls  the  delay
                           for  the  first  5  poisons. The value should be lower than the ndp_poison_delay. The
                           value is in seconds.
                           The same delay is used when the victims are restored to the original associations
                            when ettercap is closed.

       ndp_poison_delay    This option is similar to the arp_poison_delay option.   It  controls  the  delay  in
                           seconds  for  sending out the poisoned NDP packets to poison victim's neighbor cache.
                           This value may be increased to hide from IDSs.  But increasing the value increases as
                           well  the  probability  for  failing race conditions during neighbor discovery and to
                           miss some packets.

       ndp_poison_send_delay
                           This option controls the delay in microseconds between poisoned NDP packets are sent.
                           This  value may be increased to hide from IDSs. But increasing the value increases as
                           well the probability for failing race conditions during  neighbor  discovery  and  to
                           miss some packets.

       ndp_poison_icmp     Enable  the  sending  of  a spoofed ICMPv6 message to motivate the targets to perform
                           neighbor discovery. This will create an entry in the host neighbor cache, so ettercap
                           will  be able to win the race condition and poison the target. Useful against targets
                           that do not accept neighbor advertisements if the entry is not in the cache.

       ndp_poison_equal_mac
                           Set this option to 0 if you want to skip the NDP poisoning of two hosts with the same
                           mac address. This may happen if a NIC has one or more aliases on the same network.

       icmp6_probe_delay   This  option  defines  the  time  in  seconds ettercap waits for active IPv6 nodes to
                           respond to the ICMP probes. Decreasing this value could lead  to  miss  replies  from
                           active IPv6 nodes, hence miss them in the host list. Increasing the value usually has
                           no impact; normally nodes can manage to answer during the default delay.

                           NOTE: The ndp and icmp6 options are only available if ettercap has  been  built  with
                           IPv6 support

       [connections]

       connection_timeout  Every  time a new connection is discovered, ettercap allocates the needed structures.
                           After a customizable timeout, you can free these structures to keep the memory  usage
                           low.  This  variable represents this timeout. The value is expressed in seconds. This
                           timeout is applied even to the session tracking system (the  protocol  state  machine
                           for dissectors).

       connection_idle     The number of seconds to wait before a connection is marked as IDLE.

       connection_buffer   This  variable  controls  the  size  of  the buffer linked to each connection.  Every
                           sniffed packet is added to the buffer and when the buffer is full the  older  packets
                           are deleted to make room for newer ones. This buffer is useful to view data that went
                           on the cable before you select and view a specific connection. The higher this value,
                           the  higher the ettercap memory occupation.  By the way, the buffer is dynamic, so if
                           you set a buffer of 100.000 byte it is not allocated all together at the first packet
                           of a connection, but it is filled as packets arrive.

       connect_timeout     The  timeout  in  seconds  when using the connect() syscall. Increase it if you get a
                           "Connection timeout" error. This option has nothing to do with connections sniffed by
                           ettercap.  It  is  a timeout for the connections made by ettercap to other hosts (for
                           example when fingerprinting remote host).

       [stats]

       sampling_rate       Ettercap keeps some statistics on  the  processing  time  of  the  bottom  half  (the
                           sniffer)  and  top  half  (the  protocol  decoder).  These statistics are made on the
                           average processing time of sampling_rate packets. You can decrease this value to have
                           a  more  accurate  real-time  picture  of  processing  time  or increase it to have a
                           smoother picture. The total average will not change, but  the  worst  value  will  be
                           heavily influenced by this value.

       [misc]

       close_on_eof        When  reading  from a dump file and using console or daemon UI, this variable is used
                           to determine what action has to be done on EOF. It is a boolean value. If  set  to  1
                           ettercap  will  close itself (useful in scripts). Otherwise the session will continue
                           waiting for user input.

       store_profiles      Ettercap collects in memory a profile for each host it detects. Users  and  passwords
                           are  collected  there.  If  you  want  to  run ettercap in background logging all the
                           traffic, you may want to disable the collecting in memory to save system memory.  Set
                           this  option  to  0  (zero) to disable profiles collection.  A value of 1 will enable
                           collection for all the hosts, 2 will collect only local hosts and 3 only remote hosts
                           (a host is considered remote if it does not belong to the netmask).

       aggressive_dissectors
                           Some  dissectors (such as SSH and HTTPS) need to modify the payload of the packets in
                           order to collect passwords and perform a decryption attack. If you  want  to  disable
                           the "dangerous" dissectors all together, set this value to 0.

       skip_forwarded      If  you  set  this value to 0 you will sniff even packets forwarded by ettercap or by
                           the kernel. It will generate duplicate packets  in  conjunction  with  the  arp  mitm
                           method  (for  example). It could be useful while running ettercap in unoffensive mode
                           on a host with more than one network interface (waiting  for  the  multiple-interface
                           feature...)

       checksum_warning    If  you  set  the  value  to  0  the  messages  about incorrect checksums will not be
                           displayed in the user messages windows (nor logged to a file with -m).
                           Note that this option will not disable the check on the packets, but only prevent the
                           message to be displayed (see below).

       checksum_check      This  option  is  used to completely disable the check on the checksum of the packets
                           that ettercap receives. The check on the  packets  is  performed  to  avoid  ettercap
                           spotting  thru  bad checsum packets (see Phrack 60.12). If you disable the check, you
                           will be able to sniff even bad checksummed packet, but you will be spotted if someone
                           is searching for you...

       [dissectors]

       protocol_name       This  value  represents  the  port on which the protocol dissector has to be bound. A
                           value of 0 will disable the dissector. The name of the variable is the  same  of  the
                           protocol  name.  You  can  specify  a non standard port for each dissector as well as
                           multiple  ports.   The   syntax   for   multiport   selection   is   the   following:
                           port1,port2,port3,...
                           NOTE:  some  dissectors are conditionally compiled . This means that depending on the
                           libraries found in your system some dissectors will be enabled and some  others  will
                           not.  By  default  etter.conf contains all supported dissectors. if you got a "FATAL:
                           Dissector "xxx" does not exists (etter.conf line yy)" error, you have to comment  out
                           the yy line in etter.conf.

       [curses]

       color               You can customize the colors of the curses GUI.
                           Simply set a field to one of the following values and look at the GUI aspect :)
                           Here  is  a  list  of values: 0 Black, 1 Red, 2 Green, 3 Yellow, 4 Blue, 5 Magenta, 6
                           Cyan, 7 White

       [strings]

       utf8_encoding       specifies the encoding to be used while displaying the packets in UTF-8 format.   Use
                           the `iconv --list` command for a list of supported encodings.

       remote_broswer      This command is executed by the remote_browser plugin each time it catches a good URL
                           request into an HTTP connection.  The command should be able to get 2 parameters:

                           %host  the Host: tag in the HTTP header. Used to create the  full  request  into  the
                                  browser.

                           %url   The page requested inside the GET request.

       redir_command_on    You  must provide a valid command (or script) to enable tcp redirection at the kernel
                           level in order to be able to use SSL dissection. Your script should be able to get  3
                           parameters:

                           %iface The network interface on which the rule must be set

                           %port  The source port of the packets to be redirected (443 for HTTPS, 993 for imaps,
                                  etc).

                           %rport The internally bound port to which ettercap listens for connections.
       NOTE: this script is executed with an execve(), so you cannot use pipes or output redirection as  if  you
       were in a shell. We suggest you to make a script if you need those commands.

       redir_command_off   This  script is used to remove the redirect rules applied by 'redir_command_on'.  You
                           should note that this script is called atexit() and thus it has not high  privileges.
                           You  should  provide a setuid program or set ec_uid to 0 in order to be sure that the
                           script is executed successfully.

ORIGINAL AUTHORS

       Alberto Ornaghi (ALoR) <alor@users.sf.net>
       Marco Valleri (NaGA) <naga@antifork.org>

PROJECT STEWARDS

       Emilio Escobar (exfil)  <eescobar@gmail.com>
       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>

OFFICIAL DEVELOPERS

       Mike Ryan (justfalter)  <falter@gmail.com>
       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
       Ryan Linn   <sussuro@happypacket.net>
       Jacob Baines   <baines.jacob@gmail.com>

CONTRIBUTORS

       Dhiru Kholia (kholia)  <dhiru@openwall.com>
       Alexander Koeppe (koeppea)  <format_c@online.de>
       Martin Bos (PureHate)  <purehate@backtrack.com>
       Enrique Sanchez
       Gisle Vanem  <giva@bgnett.no>
       Johannes Bauer  <JohannesBauer@gmx.de>
       Daten (Bryan Schneiders)  <daten@dnetc.org>

SEE ALSO

       ettercap(8) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etterfilter(8) ettercap-pkexec(8)