Provided by: ettercap-common_0.8.3.1-10_amd64 bug


       ettercap - Man page for the Ncurses GUI.


       The curses GUI is quite simple and intuitive.
       It  is  menu-driven. Every flag or function can be modified/called through the upper menu.
       All user messages are printed in the bottom window. If you want to see the  old  messages,
       you  can scroll the window buffer by pressing the UP, DOWN, PPAGE, NPAGE keys.  The middle
       part is used to display information or dialogs for the user.

       The menus can be opened by pressing the relative hotkey.  For  the  menus  the  hotkey  is
       represented  by  the uppercase initial letter of the title (e.g. 'S' for Sniffing, 'T' for
       Targets). The functions within a menu can be called by pressing the hotkey  depicted  near
       the  function  name on the right. Hotkeys prefixed with 'C-' are to be used in conjunction
       with the CTRL key (e.g. 'C-f' means CTRL+f).

       You can switch the focus between the objects on the screen by pressing the TAB key  or  by
       clicking  on it with the mouse (if you are running ettercap within an xterm). Mouse events
       are supported only through the xterm. You can use the mouse  to  select  objects,  open  a
       menu, choose a function, scroll the elevators for the scrolling windows, etc etc.

       When  you  open multiple windows in the middle part, they will overlap. Use the TAB key to
       switch between them. Use CTRL+Q to close the focused window.
       You can also use CTRL+Q to close the input dialog if you  want  to  cancel  the  requested
       input. (i.e. you have selected the wrong function and you want to go back).

       To  have  a  quick help on the shortcuts you can use against a particular window press the
       SPACE key. A help window will be displayed with a list of shortcuts that can be  used.  If
       the window does not appear, no shortcuts are available.


       To use the ncurses GUI you have to:

       - compile ettercap with ncurses support (obviously)
       - run it with the -C flag

       Passing  the  -C flag is sufficient, but if you want you can pass other flags that will be
       automatically set for the ncurses GUI. You will be able to override them using the menu to
       change the options.


       As  soon  as ettercap is launched with the Ncurses GUI, you will be prompted with multiple
       choices. The first screen lets you select if you want to open a  pcap  file  or  dump  the
       sniffed traffic to a file, if you want unified sniffing or bridged one, permits you to set
       a pcap file on the captured traffic and enables you to log all the sniffed data.

       Once you have selected a sniffing method (from file, unified or bridged) this screen  will
       not be reachable anymore. The only way is to restart ettercap.

       Let's analyze each menu in the start screen:


                     Open  a pcap file and analyze it. All the functionalities available for live
                     sniffing are in place except for those sending or forwarding  packets  (mitm
                     attacks and so on...).

              Dump to file...
                     All the traffic sniffed by the live capture will be dumped to that file. The
                     filters, not the targets, have effects on this  file,  as  all  the  packets
                     received  by  pcap will be dumped. The only way to not dump a certain packet
                     is to set a proper pcap filter (see below).

                     Exits from ettercap and returns to the command prompt.


              Unified sniffing...
                     Choosing this function you will be prompted to select the network  interface
                     to  be used for sniffing. The first up and running interface is suggested in
                     the input box.  For an explanation of what unified  sniffing  is,  refer  to
                     TIP:  if  you  use the 'u' hotkey, this step will be skipped and the default
                     interface is automatically selected.

              Bridged sniffing...
                     After selecting the two interfaces to be used, you will  enter  the  Bridged
                     sniffing  mode.  For  an  explanation  of what bridged sniffing is, refer to

              Set pcap filter...
                     Here you can insert a tcpdump-like filter for the capturing process.
                     IMPORTANT: if you manage to use a mitm attack,  remember  that  if  ettercap
                     does  not see a packet, it will NOT be forwarded. So be sure of what you are
                     doing by setting a pcap filter.


                     This enable/disable the unoffensive flag. The asterisk '*' means "the option
                     is enabled". Otherwise the option is not enabled.

              Promisc mode
                     Enable/disable the promisc mode for the live capture on a network interface.
                     This is an "asterisk-option" as the unoffensive one.

              Set netmask
                     Use the specified netmask instead of the one  associated  with  the  current
                     iface.  This option is useful if you have the NIC with an associated netmask
                     of class B and you want to scan (with the arp scan) only a C class.


       Once you have selected an offline sniffing or a live capture, the upper menu  is  modified
       and you can start to do the interesting things...
       Some of the following menu are only available in live capture.


              Start sniffing
                     Starts  the  sniffing process depending on what you have selected on startup
                     (live or from file)

              Stop sniffing
                     Stops the sniffing thread.

                     Returns to your favourite shell ;)


              Current Targets
                     Displays a list of hosts in each TARGET. You can selectively remove  a  host
                     by  selecting  it  and  press  'd' or add a new host pressing 'a'. To switch
                     between the two lists, use the ARROWS keys.

              Select TARGET(s)
                     Lets you select the TARGET(s) as explained in ettercap(8). The syntax is the
                     same as for the command line specification.

                     You can choose to sniff only TCP, only UDP or both (ALL).

              Reverse matching
                     Reverse  the  matching  of  a  packet.  It is equivalent to a NOT before the
                     target specification.

              Wipe Targets
                     Restores both TARGETS to ANY/ANY/ANY


              Hosts list
                     Displays the list of hosts detected through an ARP scan  or  converted  from
                     the  passive profiles. This list is used by MITM attacks when the ANY target
                     is selected, so if you want to exclude a host from the attack, simply delete
                     it from the list.
                     You  can  remove  a host from the list by pressing 'd', add it to TARGET1 by
                     pressing '1' or add it to TARGET2 by pressing '2'.

              Scan for hosts
                     Perform the ARP scan of the netmask if no TARGETS are selected.  If  TARGETS
                     was specified it only scans for those hosts.

              Load from file...
                     Loads  the  hosts  list  from a file previously saved with "save to file" or
                     hand crafted.

              Save to file...
                     Save the current hosts list to a file.


                     Displays the connection list. To see detailed information about a connection
                     press  'd',  or  press  'k'  to  kill  it. To see the traffic for a specific
                     connection, select it and press  enter.  Once  the  two-panel  interface  is
                     displayed  you  can  move the focus with the arrow keys. Press 'j' to switch
                     between joined and split visualization. Press 'k' to  kill  the  connection.
                     Press  'y' to inject interactively and 'Y' to inject a file. Note that it is
                     important which panel has the focus as the injected data  will  be  sent  to
                     that address.
                     HINT: connections marked with an asterisk contain account(s) information.

                     Displays  the  passive profile hosts list. Selecting a host will display the
                     relative details (including account with user and pass for that host).
                     You can convert the passive profile list into the  hosts  list  by  pressing
                     'c'.  To purge remote hosts, press 'l'. To purge local hosts, press 'r'. You
                     can also dump the current profile to a file by pressing 'd'; the dumped file
                     can be opened with etterlog(8).
                     HINT: profiles marked with an asterisk contain account(s) information.

                     Displays some statistics about the sniffing process.

              Resolve IP addresses
                     Enables  DNS  resolution  for all the sniffed IP address. CAUTION: this will
                     extremely slow down ettercap. By the  way  the  passive  dns  resolution  is
                     always  active.  It  sniffs dns replies and stores them in a cache. If an ip
                     address is present in that cache, it will be automatically resolved.  It  is
                     dns resolution for free... ;)

              Visualization method
                     Change  the  visualization  method  for the sniffed data. Available methods:
                     ascii, hex, ebcdic, text, html.

              Visualization regex
                     Set the visualization regular expression. Only packets matching  this  regex
                     will be displayed in the connection data window.

              Set the WiFi key
                     Set the WiFi key used to decrypt WiFi encrypted packets. See ettercap(8) for
                     the format of the key.


              [...]  For each type of attack, a menu entry is displayed. Simply select the attack
                     you  want  and fill the arguments when asked. You can activate more than one
                     attack at a time.

              Stop mitm attack(s)
                     Stops all the mitm attacks currently active.


              Load a filter...
                     Load  a  precompiled  filter  file.  The  file   must   be   compiled   with
                     etterfilter(8) before it can be loaded.

              Stop filtering
                     Unload the filter and stop filtering the connections.


              Log all packets and infos...
                     Given  a  file name, it will create two files: filename.eci (for information
                     about hosts) and filename.ecp (for all the interesting packets). This is the
                     same as the -L option.

              Log only infos...
                     This is used only to sniff information about hosts (same as the -l option).

              Stop logging info
                     Come on... it is self explanatory.

              Log user messages...
                     Will  log  all  the  messages  appearing  in  the  bottom window (same as -m

              Compressed file
                     Asterisk-option to control whether or not the logfile should be compressed.


              Manage the plugins
                     Opens the plugin management window. You can select a plugin and activate  it
                     by  pressing  'enter'.  Plugins  already active can be recognized by the [1]
                     symbol instead  of  [0].  If  you  select  an  active  plugin,  it  will  be

              Load a plugin...
                     You can load a plugin file that is not in the default search path. (remember
                     that you can browse directories with EC_UID permissions).


       Alberto Ornaghi (ALoR) <>
       Marco Valleri (NaGA) <>


       Emilio Escobar (exfil)  <>
       Eric Milam (Brav0Hax)  <>


       Mike Ryan (justfalter)  <>
       Gianfranco Costamagna (LocutusOfBorg)  <>
       Antonio Collarino (sniper)  <>
       Ryan Linn   <>
       Jacob Baines   <>


       Dhiru Kholia (kholia)  <>
       Alexander Koeppe (koeppea)  <>
       Martin Bos (PureHate)  <>
       Enrique Sanchez
       Gisle Vanem  <>
       Johannes Bauer  <>
       Daten (Bryan Schneiders)  <>


       ettercap(8)     ettercap_plugins(8)     etterlog(8)      etterfilter(8)      etter.conf(5)