Provided by: ettercap-common_0.8.3.1-10_amd64 
NAME
etter.conf - Ettercap configuration file
DESCRIPTION
etter.conf is the configuration file that determines ettercap behaviour. It is always
loaded at startup and it configures some attributes used at runtime.
The file contains entries of the form:
[section]
entry = value
...
Each entry defines a variable that can be customized. Every value MUST be an integer.
Sections are used only to group together some variables.
NOTE: if you omit a variable in the conf file, it will be initialized with the value 0. It
is strongly discouraged to not initialize critical variables such as "arp_poison_delay" or
"connection_timeout".
The following is a list of available variables:
[privs]
ec_uid This variable specifies the UID to which privileges are dropped at
startup. After the socket at link layer has been opened the privileges
are dropped to a specific uid different from root for security
reasons. etter.conf is the only file that is read with root privs. Be
sure that the specified uid has enough privs to read other files
(etter.*) You can bypass this variable by setting the environment
variable EC_UID.
[mitm]
arp_storm_delay The value represents the milliseconds to wait between two consecutive
packets during the initial ARP scan. You can increment this value to
be less aggressive at startup. The randomized scan plus a high delay
can fool some types of ARP scan detectors.
arp_poison_smart With this variable set, only 3 initial poisoned ARP messages are sent
to the victims. This poisoned status is kept up by ettercap with
responding to ARP requests from victims that want to refresh their ARP
cache. This makes the ARP poisoning very stealthy but may be
unreliable on shared media such as WiFi.
arp_poison_warm_up When the poisoning process starts, the inter-packet delay is low for
the first 5 poisons (to be sure the poisoning process has been
successful). After the first 5 poisons, the delay is incremented (to
keep up the poisoning). This variable controls the delay for the first
5 poisons. The value is in seconds.
The same delay is used when the victims are restored to the original
associations (RE-ARPing) when ettercap is closed.
arp_poison_delay This variable controls the poisoning delay after the first 5 poisons.
The value is expressed in seconds. You can increase this value (to try
to fool the IDS) up to the timeout of the ARP cache (which depends on
the poisoned operating system).
arp_poison_icmp Enable the sending of a spoofed ICMP message to force the targets to
make an arp request. This will create an arp entry in the host cache,
so ettercap will be able to win the race condition and poison the
target. Useful against targets that do not accept gratuitous arp if
the entry is not in the cache.
arp_poison_reply Use ARP replies to poison the targets. This is the classic attack.
arp_poison_request Use ARP request to poison the targets. Useful against targets that
cache even arp request values.
arp_poison_equal_mac
Set this option to 0 if you want to skip the poisoning of two hosts
with the same mac address. This may happen if a NIC has one or more
aliases on the same network.
dhcp_lease_time This is the lease time (in seconds) for a dhcp assignment. You can
lower this value to permit the victims to receive a correct dhcp reply
after you have stopped your attack. Using higher timeouts can
seriously mess up your network after the attack has finished. On the
other hand some clients will prefer a higher lease time, so you have
to increase it to win the race condition against the real server.
port_steal_delay This is the delay time (in milliseconds) between stealing packets for
the "port" mitm method. With low delays you will be able to intercept
more packets, but you will generate more traffic. You have to tune
this value in order to find a good balance between the number of
intercepted packets, re-transmitted packets and lost packets. This
value depends on full/half duplex channels, network drivers and
adapters, network general configuration and hardware.
port_steal_send_delay
This is the delay time (in microseconds) between packets when the
"port" mitm method has to re-send packets queues. As said for
port_steal_delay you have to tune this option to the lowest acceptable
value.
ndp_poison_warm_up This option operates similar to the arp_poison_warm_up option. When
the poisoning process starts, this option controls the NDP poison
delay for the first 5 poisons (to be sure the poisoning process has
been successful). After the first 5 poisons, the delay is incremented
(to keep up the poisoning). This variable controls the delay for the
first 5 poisons. The value should be lower than the ndp_poison_delay.
The value is in seconds.
The same delay is used when the victims are restored to the original
associations
when ettercap is closed.
ndp_poison_delay This option is similar to the arp_poison_delay option. It controls
the delay in seconds for sending out the poisoned NDP packets to
poison victim's neighbor cache. This value may be increased to hide
from IDSs. But increasing the value increases as well the probability
for failing race conditions during neighbor discovery and to miss some
packets.
ndp_poison_send_delay
This option controls the delay in microseconds between poisoned NDP
packets are sent. This value may be increased to hide from IDSs. But
increasing the value increases as well the probability for failing
race conditions during neighbor discovery and to miss some packets.
ndp_poison_icmp Enable the sending of a spoofed ICMPv6 message to motivate the targets
to perform neighbor discovery. This will create an entry in the host
neighbor cache, so ettercap will be able to win the race condition and
poison the target. Useful against targets that do not accept neighbor
advertisements if the entry is not in the cache.
ndp_poison_equal_mac
Set this option to 0 if you want to skip the NDP poisoning of two
hosts with the same mac address. This may happen if a NIC has one or
more aliases on the same network.
icmp6_probe_delay This option defines the time in seconds ettercap waits for active IPv6
nodes to respond to the ICMP probes. Decreasing this value could lead
to miss replies from active IPv6 nodes, hence miss them in the host
list. Increasing the value usually has no impact; normally nodes can
manage to answer during the default delay.
NOTE: The ndp and icmp6 options are only available if ettercap has
been built with IPv6 support
[connections]
connection_timeout Every time a new connection is discovered, ettercap allocates the
needed structures. After a customizable timeout, you can free these
structures to keep the memory usage low. This variable represents this
timeout. The value is expressed in seconds. This timeout is applied
even to the session tracking system (the protocol state machine for
dissectors).
connection_idle The number of seconds to wait before a connection is marked as IDLE.
connection_buffer This variable controls the size of the buffer linked to each
connection. Every sniffed packet is added to the buffer and when the
buffer is full the older packets are deleted to make room for newer
ones. This buffer is useful to view data that went on the cable before
you select and view a specific connection. The higher this value, the
higher the ettercap memory occupation. By the way, the buffer is
dynamic, so if you set a buffer of 100.000 byte it is not allocated
all together at the first packet of a connection, but it is filled as
packets arrive.
connect_timeout The timeout in seconds when using the connect() syscall. Increase it
if you get a "Connection timeout" error. This option has nothing to do
with connections sniffed by ettercap. It is a timeout for the
connections made by ettercap to other hosts (for example when
fingerprinting remote host).
[stats]
sampling_rate Ettercap keeps some statistics on the processing time of the bottom
half (the sniffer) and top half (the protocol decoder). These
statistics are made on the average processing time of sampling_rate
packets. You can decrease this value to have a more accurate real-time
picture of processing time or increase it to have a smoother picture.
The total average will not change, but the worst value will be heavily
influenced by this value.
[misc]
close_on_eof When reading from a dump file and using console or daemon UI, this
variable is used to determine what action has to be done on EOF. It is
a boolean value. If set to 1 ettercap will close itself (useful in
scripts). Otherwise the session will continue waiting for user input.
store_profiles Ettercap collects in memory a profile for each host it detects. Users
and passwords are collected there. If you want to run ettercap in
background logging all the traffic, you may want to disable the
collecting in memory to save system memory. Set this option to 0
(zero) to disable profiles collection. A value of 1 will enable
collection for all the hosts, 2 will collect only local hosts and 3
only remote hosts (a host is considered remote if it does not belong
to the netmask).
aggressive_dissectors
Some dissectors (such as SSH and HTTPS) need to modify the payload of
the packets in order to collect passwords and perform a decryption
attack. If you want to disable the "dangerous" dissectors all
together, set this value to 0.
skip_forwarded If you set this value to 0 you will sniff even packets forwarded by
ettercap or by the kernel. It will generate duplicate packets in
conjunction with the arp mitm method (for example). It could be useful
while running ettercap in unoffensive mode on a host with more than
one network interface (waiting for the multiple-interface feature...)
checksum_warning If you set the value to 0 the messages about incorrect checksums will
not be displayed in the user messages windows (nor logged to a file
with -m).
Note that this option will not disable the check on the packets, but
only prevent the message to be displayed (see below).
checksum_check This option is used to completely disable the check on the checksum of
the packets that ettercap receives. The check on the packets is
performed to avoid ettercap spotting thru bad checsum packets (see
Phrack 60.12). If you disable the check, you will be able to sniff
even bad checksummed packet, but you will be spotted if someone is
searching for you...
sniffing_at_startup If this option is set to 1, then ettercap will immediately start
unified or bridged sniffing after the setup phase has been completed.
This option helps to avoid traffic blocking when a MITM technique has
been started but forgotten to start sniffing. Therefore this options
is set to 1 by default.
If this behaviour is not desired set it to 0 to manually control the
status of unified or bridged sniffing after ettercap startet.
However, sniffing can be stopped and started at any time while
ettercap runs.
geoip_support_enable
This option controls if GeoIP information shall be processed for IP
addresses whether or not ettercap has been built with GeoIP support.
gtkui_prefer_dark_theme
This option tries to enforce the dark variant of the applied theme.
However this does only have an effect if the applied theme provides a
dark variant. Normally the desktop environment controls the theme of
applications. But some lightweight desktop environments doesn't
support a configuration option for dark themes even when the theme
provides a dark variant. To leave the theme variant setting to the
desktop environment this option is set to 0 by default.
NOTE: This option is only relevant in GTK mode and if ettercap has
been built with full GTK3 support.
[dissectors]
protocol_name This value represents the port on which the protocol dissector has to
be bound. A value of 0 will disable the dissector. The name of the
variable is the same of the protocol name. You can specify a non
standard port for each dissector as well as multiple ports. The syntax
for multiport selection is the following: port1,port2,port3,...
NOTE: some dissectors are conditionally compiled . This means that
depending on the libraries found in your system some dissectors will
be enabled and some others will not. By default etter.conf contains
all supported dissectors. if you got a "FATAL: Dissector "xxx" does
not exists (etter.conf line yy)" error, you have to comment out the yy
line in etter.conf.
[curses]
color You can customize the colors of the curses GUI.
Simply set a field to one of the following values and look at the GUI
aspect :)
Here is a list of values: 0 Black, 1 Red, 2 Green, 3 Yellow, 4 Blue, 5
Magenta, 6 Cyan, 7 White
[strings]
utf8_encoding specifies the encoding to be used while displaying the packets in
UTF-8 format. Use the `iconv --list` command for a list of supported
encodings.
remote_browser This command is executed by the remote_browser plugin each time it
catches a good URL request into an HTTP connection. The command
should be able to get 2 parameters:
%host the Host: tag in the HTTP header. Used to create the full
request into the browser.
%url The page requested inside the GET request.
redir_command_on You must provide a valid command (or script) to enable tcp redirection
at the kernel level in order to be able to use SSL dissection. Your
script should be able to get 5 parameters:
%iface The network interface on which the rule must be set
%source
The source IP or network matching the packets to be redirected
(default is 0.0.0.0/0, ::/0 resp. or any)
%destination
The destination IP or network matching the packets to be
redirected (default is 0.0.0.0/0, ::/0 resp. or any)
%port The source port of the packets to be redirected (443 for HTTPS,
993 for imaps, etc).
%rport The internally bound port to which ettercap listens for
connections.
NOTE: this script is executed with an execve(), so you cannot use pipes or output
redirection as if you were in a shell. We suggest you to make a script if you need those
commands.
NOTE: for this to work, you must set ec_uid to a UID what is privileged to execute the
redir_command or provide a setuid program.
redir_command_off This script is used to remove the redirect rules applied by
'redir_command_on'. You should note that this script is called
atexit() and thus it has not high privileges. You should provide a
setuid program or set ec_uid to 0 in order to be sure that the script
is executed successfully.
ORIGINAL AUTHORS
Alberto Ornaghi (ALoR) <alor@users.sf.net>
Marco Valleri (NaGA) <naga@antifork.org>
PROJECT STEWARDS
Emilio Escobar (exfil) <eescobar@gmail.com>
Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
OFFICIAL DEVELOPERS
Mike Ryan (justfalter) <falter@gmail.com>
Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
Antonio Collarino (sniper) <anto.collarino@gmail.com>
Ryan Linn <sussuro@happypacket.net>
Jacob Baines <baines.jacob@gmail.com>
CONTRIBUTORS
Dhiru Kholia (kholia) <dhiru@openwall.com>
Alexander Koeppe (koeppea) <format_c@online.de>
Martin Bos (PureHate) <purehate@backtrack.com>
Enrique Sanchez
Gisle Vanem <giva@bgnett.no>
Johannes Bauer <JohannesBauer@gmx.de>
Daten (Bryan Schneiders) <daten@dnetc.org>
SEE ALSO
ettercap(8) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etterfilter(8)
ettercap-pkexec(8)