Provided by: ettercap-common_0.8.3.1-5_amd64 bug

NAME

       etter.conf - Ettercap configuration file

DESCRIPTION

       etter.conf  is  the  configuration  file  that determines ettercap behaviour. It is always
       loaded at startup and it configures some attributes used at runtime.

       The file contains entries of the form:

              [section]
              entry = value
              ...

       Each entry defines a variable that can be customized. Every  value  MUST  be  an  integer.
       Sections are used only to group together some variables.

       NOTE: if you omit a variable in the conf file, it will be initialized with the value 0. It
       is strongly discouraged to not initialize critical variables such as "arp_poison_delay" or
       "connection_timeout".

       The following is a list of available variables:

       [privs]

       ec_uid              This  variable  specifies  the  UID to which privileges are dropped at
                           startup. After the socket at link layer has been opened the privileges
                           are  dropped  to  a  specific  uid  different  from  root for security
                           reasons. etter.conf is the only file that is read with root privs.  Be
                           sure  that  the  specified  uid  has  enough privs to read other files
                           (etter.*)  You can bypass this variable  by  setting  the  environment
                           variable EC_UID.

       [mitm]

       arp_storm_delay     The  value represents the milliseconds to wait between two consecutive
                           packets during the initial ARP scan. You can increment this  value  to
                           be  less  aggressive at startup. The randomized scan plus a high delay
                           can fool some types of ARP scan detectors.

       arp_poison_smart    With this variable set, only 3 initial poisoned ARP messages are  sent
                           to  the  victims.  This  poisoned  status  is kept up by ettercap with
                           responding to ARP requests from victims that want to refresh their ARP
                           cache.  This  makes  the  ARP  poisoning  very  stealthy  but  may  be
                           unreliable on shared media such as WiFi.

       arp_poison_warm_up  When the poisoning process starts, the inter-packet delay is  low  for
                           the  first  5  poisons  (to  be  sure  the  poisoning process has been
                           successful). After the first 5 poisons, the delay is  incremented  (to
                           keep up the poisoning). This variable controls the delay for the first
                           5 poisons. The value is in seconds.
                           The same delay is used when the victims are restored to  the  original
                           associations (RE-ARPing) when ettercap is closed.

       arp_poison_delay    This  variable controls the poisoning delay after the first 5 poisons.
                           The value is expressed in seconds. You can increase this value (to try
                           to  fool the IDS) up to the timeout of the ARP cache (which depends on
                           the poisoned operating system).

       arp_poison_icmp     Enable the sending of a spoofed ICMP message to force the  targets  to
                           make  an arp request. This will create an arp entry in the host cache,
                           so ettercap will be able to win the  race  condition  and  poison  the
                           target.  Useful  against  targets that do not accept gratuitous arp if
                           the entry is not in the cache.

       arp_poison_reply    Use ARP replies to poison the targets. This is the classic attack.

       arp_poison_request  Use ARP request to poison the targets.  Useful  against  targets  that
                           cache even arp request values.

       arp_poison_equal_mac
                           Set  this  option  to 0 if you want to skip the poisoning of two hosts
                           with the same mac address. This may happen if a NIC has  one  or  more
                           aliases on the same network.

       dhcp_lease_time     This  is  the  lease  time (in seconds) for a dhcp assignment. You can
                           lower this value to permit the victims to receive a correct dhcp reply
                           after  you  have  stopped  your  attack.  Using  higher  timeouts  can
                           seriously mess up your network after the attack has finished.  On  the
                           other  hand  some clients will prefer a higher lease time, so you have
                           to increase it to win the race condition against the real server.

       port_steal_delay    This is the delay time (in milliseconds) between stealing packets  for
                           the  "port" mitm method. With low delays you will be able to intercept
                           more packets, but you will generate more traffic.  You  have  to  tune
                           this  value  in  order  to  find  a good balance between the number of
                           intercepted packets, re-transmitted packets and  lost  packets.   This
                           value  depends  on  full/half  duplex  channels,  network  drivers and
                           adapters, network general configuration and hardware.

       port_steal_send_delay
                           This is the delay time (in  microseconds)  between  packets  when  the
                           "port"  mitm  method  has  to  re-send  packets  queues.  As  said for
                           port_steal_delay you have to tune this option to the lowest acceptable
                           value.

       ndp_poison_warm_up  This  option  operates similar to the arp_poison_warm_up option.  When
                           the poisoning process starts, this  option  controls  the  NDP  poison
                           delay  for  the  first 5 poisons (to be sure the poisoning process has
                           been successful).  After the first 5 poisons, the delay is incremented
                           (to  keep up the poisoning).  This variable controls the delay for the
                           first 5 poisons. The value should be lower than the  ndp_poison_delay.
                           The value is in seconds.
                           The  same  delay is used when the victims are restored to the original
                           associations
                            when ettercap is closed.

       ndp_poison_delay    This option is similar to the arp_poison_delay  option.   It  controls
                           the  delay  in  seconds  for  sending  out the poisoned NDP packets to
                           poison victim's neighbor cache. This value may be  increased  to  hide
                           from IDSs.  But increasing the value increases as well the probability
                           for failing race conditions during neighbor discovery and to miss some
                           packets.

       ndp_poison_send_delay
                           This  option  controls  the delay in microseconds between poisoned NDP
                           packets are sent. This value may be increased to hide from  IDSs.  But
                           increasing  the  value  increases  as well the probability for failing
                           race conditions during neighbor discovery and to miss some packets.

       ndp_poison_icmp     Enable the sending of a spoofed ICMPv6 message to motivate the targets
                           to  perform  neighbor discovery. This will create an entry in the host
                           neighbor cache, so ettercap will be able to win the race condition and
                           poison  the target. Useful against targets that do not accept neighbor
                           advertisements if the entry is not in the cache.

       ndp_poison_equal_mac
                           Set this option to 0 if you want to skip  the  NDP  poisoning  of  two
                           hosts  with  the same mac address. This may happen if a NIC has one or
                           more aliases on the same network.

       icmp6_probe_delay   This option defines the time in seconds ettercap waits for active IPv6
                           nodes  to respond to the ICMP probes. Decreasing this value could lead
                           to miss replies from active IPv6 nodes, hence miss them  in  the  host
                           list.  Increasing  the value usually has no impact; normally nodes can
                           manage to answer during the default delay.

                           NOTE: The ndp and icmp6 options are only  available  if  ettercap  has
                           been built with IPv6 support

       [connections]

       connection_timeout  Every  time  a  new  connection  is discovered, ettercap allocates the
                           needed structures. After a customizable timeout, you  can  free  these
                           structures to keep the memory usage low. This variable represents this
                           timeout. The value is expressed in seconds. This  timeout  is  applied
                           even  to  the  session tracking system (the protocol state machine for
                           dissectors).

       connection_idle     The number of seconds to wait before a connection is marked as IDLE.

       connection_buffer   This  variable  controls  the  size  of  the  buffer  linked  to  each
                           connection.   Every sniffed packet is added to the buffer and when the
                           buffer is full the older packets are deleted to make  room  for  newer
                           ones. This buffer is useful to view data that went on the cable before
                           you select and view a specific connection. The higher this value,  the
                           higher  the  ettercap  memory  occupation.   By the way, the buffer is
                           dynamic, so if you set a buffer of 100.000 byte it  is  not  allocated
                           all  together at the first packet of a connection, but it is filled as
                           packets arrive.

       connect_timeout     The timeout in seconds when using the connect() syscall.  Increase  it
                           if you get a "Connection timeout" error. This option has nothing to do
                           with connections  sniffed  by  ettercap.  It  is  a  timeout  for  the
                           connections  made  by  ettercap  to  other  hosts  (for  example  when
                           fingerprinting remote host).

       [stats]

       sampling_rate       Ettercap keeps some statistics on the processing time  of  the  bottom
                           half  (the  sniffer)  and  top  half  (the  protocol  decoder).  These
                           statistics are made on the average processing  time  of  sampling_rate
                           packets. You can decrease this value to have a more accurate real-time
                           picture of processing time or increase it to have a smoother  picture.
                           The total average will not change, but the worst value will be heavily
                           influenced by this value.

       [misc]

       close_on_eof        When reading from a dump file and using console  or  daemon  UI,  this
                           variable is used to determine what action has to be done on EOF. It is
                           a boolean value. If set to 1 ettercap will  close  itself  (useful  in
                           scripts). Otherwise the session will continue waiting for user input.

       store_profiles      Ettercap  collects in memory a profile for each host it detects. Users
                           and passwords are collected there. If you  want  to  run  ettercap  in
                           background  logging  all  the  traffic,  you  may  want to disable the
                           collecting in memory to save system  memory.  Set  this  option  to  0
                           (zero)  to  disable  profiles  collection.   A  value of 1 will enable
                           collection for all the hosts, 2 will collect only local  hosts  and  3
                           only  remote  hosts (a host is considered remote if it does not belong
                           to the netmask).

       aggressive_dissectors
                           Some dissectors (such as SSH and HTTPS) need to modify the payload  of
                           the  packets  in  order  to collect passwords and perform a decryption
                           attack.  If  you  want  to  disable  the  "dangerous"  dissectors  all
                           together, set this value to 0.

       skip_forwarded      If  you  set  this value to 0 you will sniff even packets forwarded by
                           ettercap or by the kernel.  It  will  generate  duplicate  packets  in
                           conjunction with the arp mitm method (for example). It could be useful
                           while running ettercap in unoffensive mode on a host  with  more  than
                           one network interface (waiting for the multiple-interface feature...)

       checksum_warning    If  you set the value to 0 the messages about incorrect checksums will
                           not be displayed in the user messages windows (nor logged  to  a  file
                           with -m).
                           Note  that  this option will not disable the check on the packets, but
                           only prevent the message to be displayed (see below).

       checksum_check      This option is used to completely disable the check on the checksum of
                           the  packets  that  ettercap  receives.  The  check  on the packets is
                           performed to avoid ettercap spotting thru  bad  checsum  packets  (see
                           Phrack  60.12).  If  you  disable the check, you will be able to sniff
                           even bad checksummed packet, but you will be  spotted  if  someone  is
                           searching for you...

       sniffing_at_startup If  this  option  is  set  to  1, then ettercap will immediately start
                           unified or bridged sniffing after the setup phase has been  completed.
                           This  option helps to avoid traffic blocking when a MITM technique has
                           been started but forgotten to start sniffing. Therefore  this  options
                           is set to 1 by default.
                           If  this  behaviour is not desired set it to 0 to manually control the
                           status  of  unified  or  bridged  sniffing  after  ettercap   startet.
                           However,  sniffing  can  be  stopped  and  started  at  any time while
                           ettercap runs.

       geoip_support_enable
                           This option controls if GeoIP information shall be  processed  for  IP
                           addresses whether or not ettercap has been built with GeoIP support.

       gtkui_prefer_dark_theme
                           This  option  tries  to enforce the dark variant of the applied theme.
                           However this does only have an effect if the applied theme provides  a
                           dark  variant.  Normally the desktop environment controls the theme of
                           applications.  But  some  lightweight  desktop  environments   doesn't
                           support  a  configuration  option  for dark themes even when the theme
                           provides a dark variant.  To leave the theme variant  setting  to  the
                           desktop environment this option is set to 0 by default.
                           NOTE:  This  option  is  only relevant in GTK mode and if ettercap has
                           been built with full GTK3 support.

       [dissectors]

       protocol_name       This value represents the port on which the protocol dissector has  to
                           be  bound.  A  value  of 0 will disable the dissector. The name of the
                           variable is the same of the protocol  name.  You  can  specify  a  non
                           standard port for each dissector as well as multiple ports. The syntax
                           for multiport selection is the following: port1,port2,port3,...
                           NOTE: some dissectors are conditionally compiled  .  This  means  that
                           depending  on  the libraries found in your system some dissectors will
                           be enabled and some others will not. By  default  etter.conf  contains
                           all  supported  dissectors.  if you got a "FATAL: Dissector "xxx" does
                           not exists (etter.conf line yy)" error, you have to comment out the yy
                           line in etter.conf.

       [curses]

       color               You can customize the colors of the curses GUI.
                           Simply  set a field to one of the following values and look at the GUI
                           aspect :)
                           Here is a list of values: 0 Black, 1 Red, 2 Green, 3 Yellow, 4 Blue, 5
                           Magenta, 6 Cyan, 7 White

       [strings]

       utf8_encoding       specifies  the  encoding  to  be  used while displaying the packets in
                           UTF-8 format.  Use the `iconv --list` command for a list of  supported
                           encodings.

       remote_browser      This  command  is  executed  by the remote_browser plugin each time it
                           catches a good URL request  into  an  HTTP  connection.   The  command
                           should be able to get 2 parameters:

                           %host  the  Host:  tag  in  the  HTTP  header. Used to create the full
                                  request into the browser.

                           %url   The page requested inside the GET request.

       redir_command_on    You must provide a valid command (or script) to enable tcp redirection
                           at  the  kernel  level in order to be able to use SSL dissection. Your
                           script should be able to get 5 parameters:

                           %iface The network interface on which the rule must be set

                           %source
                                  The source IP or network matching the packets to be  redirected
                                  (default is 0.0.0.0/0, ::/0 resp. or any)

                           %destination
                                  The  destination  IP  or  network  matching  the  packets to be
                                  redirected (default is 0.0.0.0/0, ::/0 resp. or any)

                           %port  The source port of the packets to be redirected (443 for HTTPS,
                                  993 for imaps, etc).

                           %rport The  internally  bound  port  to  which  ettercap  listens  for
                                  connections.
       NOTE: this script is executed with  an  execve(),  so  you  cannot  use  pipes  or  output
       redirection  as  if you were in a shell. We suggest you to make a script if you need those
       commands.

       NOTE: for this to work, you must set ec_uid to a UID what is  privileged  to  execute  the
       redir_command or provide a setuid program.

       redir_command_off   This   script  is  used  to  remove  the  redirect  rules  applied  by
                           'redir_command_on'.  You  should  note  that  this  script  is  called
                           atexit()  and  thus  it  has not high privileges. You should provide a
                           setuid program or set ec_uid to 0 in order to be sure that the  script
                           is executed successfully.

ORIGINAL AUTHORS

       Alberto Ornaghi (ALoR) <alor@users.sf.net>
       Marco Valleri (NaGA) <naga@antifork.org>

PROJECT STEWARDS

       Emilio Escobar (exfil)  <eescobar@gmail.com>
       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>

OFFICIAL DEVELOPERS

       Mike Ryan (justfalter)  <falter@gmail.com>
       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
       Ryan Linn   <sussuro@happypacket.net>
       Jacob Baines   <baines.jacob@gmail.com>

CONTRIBUTORS

       Dhiru Kholia (kholia)  <dhiru@openwall.com>
       Alexander Koeppe (koeppea)  <format_c@online.de>
       Martin Bos (PureHate)  <purehate@backtrack.com>
       Enrique Sanchez
       Gisle Vanem  <giva@bgnett.no>
       Johannes Bauer  <JohannesBauer@gmx.de>
       Daten (Bryan Schneiders)  <daten@dnetc.org>

SEE ALSO

       ettercap(8)     ettercap_curses(8)    ettercap_plugins(8)    etterlog(8)    etterfilter(8)
       ettercap-pkexec(8)