1ETTER.CONF(5) File Formats Manual ETTER.CONF(5)
2
3
4
6 etter.conf - Ettercap configuration file
7
8
10 etter.conf is the configuration file that determines ettercap behav‐
11 iour. It is always loaded at startup and it configures some attributes
12 used at runtime.
13
14 The file contains entries of the form:
15
16 [section]
17 entry = value
18 ...
19
20 Each entry defines a variable that can be customized. Every value MUST
21 be an integer. Sections are used only to group together some variables.
22
23 NOTE: if you omit a variable in the conf file, it will be initialized
24 with the value 0. It is strongly discouraged to not initialize critical
25 variables such as "arp_poison_delay" or "connection_timeout".
26
27 The following is a list of available variables:
28
29
30
31 [privs]
32
33 ec_uid This variable specifies the UID to which privileges
34 are dropped at startup. After the socket at link
35 layer has been opened the privileges are dropped to
36 a specific uid different from root for security
37 reasons. etter.conf is the only file that is read
38 with root privs. Be sure that the specified uid has
39 enough privs to read other files (etter.*) You can
40 bypass this variable by setting the environment
41 variable EC_UID.
42
43
44
45
46 [mitm]
47
48 arp_storm_delay The value represents the milliseconds to wait
49 between two consecutive packets during the initial
50 ARP scan. You can increment this value to be less
51 aggressive at startup. The randomized scan plus a
52 high delay can fool some types of ARP scan detec‐
53 tors.
54
55
56 arp_poison_warm_up When the poisoning process starts, the inter-packet
57 delay is low for the first 5 poisons (to be sure
58 the poisoning process has been successful). After
59 the first 5 poisons, the delay is incremented (to
60 keep up the poisoning). This variable controls the
61 delay for the first 5 poisons. The value is in sec‐
62 onds.
63 The same delay is used when the victims are
64 restored to the original associations (RE-ARPing)
65 when ettercap is closed.
66
67
68 arp_poison_delay This variable controls the poisoning delay after
69 the first 5 poisons. The value is expressed in sec‐
70 onds. You can increase this value (to try to fool
71 the IDS) up to the timeout of the ARP cache (which
72 depends on the poisoned operating system).
73
74
75 arp_poison_icmp Enable the sending of a spoofed ICMP message to
76 force the targets to make an arp request. This will
77 create an arp entry in the host cache, so ettercap
78 will be able to win the race condition and poison
79 the target. Useful against targets that don't
80 accept gratuitous arp if the entry is not in the
81 cache.
82
83
84 arp_poison_reply Use ARP replies to poison the targets. This is the
85 classic attack.
86
87
88 arp_poison_request Use ARP request to poison the targets. Useful
89 against targets that cache even arp request values.
90
91
92 arp_poison_equal_mac
93 Set this option to 0 if you want to skip the poi‐
94 soning of two hosts with the same mac address. This
95 may happen if a NIC has one or more aliases on the
96 same network.
97
98
99 dhcp_lease_time This is the lease time (in seconds) for a dhcp
100 assignment. You can lower this value to permit the
101 victims to receive a correct dhcp reply after you
102 have stopped your attack. Using higher timeouts can
103 seriously mess up your network after the attack has
104 finished. On the other hand some clients will pre‐
105 fer a higher lease time, so you have to increase it
106 to win the race condition against the real server.
107
108
109 port_steal_delay This is the delay time (in milliseconds) between
110 stealing packets for the "port" mitm method. With
111 low delays you will be able to intercept more pack‐
112 ets, but you will generate more traffic. You have
113 to tune this value in order to find a good balance
114 between the number of intercepted packets, re-
115 transmitted packets and lost packets. This value
116 depends on full/half duplex channels, network driv‐
117 ers and adapters, network general configuration and
118 hardware.
119
120
121
122 port_steal_send_delay
123 This is the delay time (in microseconds) between
124 packets when the "port" mitm method has to re-send
125 packets queues. As said for port_steal_delay you
126 have to tune this option to the lowest acceptable
127 value.
128
129
130
131 [connections]
132
133 connection_timeout Every time a new connection is discovered, ettercap
134 allocates the needed structures. After a customiza‐
135 ble timeout, you can free these structures to keep
136 the memory usage low. This variable represents this
137 timeout. The value is expressed in seconds. This
138 timeout is applied even to the session tracking
139 system (the protocol state machine for dissectors).
140
141
142 connection_idle The number of seconds to wait before a connection
143 is marked as IDLE.
144
145
146 connection_buffer This variable controls the size of the buffer
147 linked to each connection. Every sniffed packet is
148 added to the buffer and when the buffer is full the
149 older packets are deleted to make room for newer
150 ones. This buffer is useful to view data that went
151 on the cable before you select and view a specific
152 connection. The higher this value, the higher the
153 ettercap memory occupation. By the way, the buffer
154 is dynamic, so if you set a buffer of 100.000 byte
155 it is not allocated all together at the first
156 packet of a connection, but it is filled as packets
157 arrive.
158
159
160 connect_timeout The timeout in seconds when using the connect()
161 syscall. Increase it if you get a "Connection time‐
162 out" error. This option has nothing to do with con‐
163 nections sniffed by ettercap. It is a timeout for
164 the connections made by ettercap to other hosts
165 (for example when fingerprinting remote host).
166
167
168
169
170 [stats]
171
172 sampling_rate Ettercap keeps some statistics on the processing
173 time of the bottom half (the sniffer) and top half
174 (the protocol decoder). These statistics are made
175 on the average processing time of sampling_rate
176 packets. You can decrease this value to have a more
177 accurate real-time picture of processing time or
178 increase it to have a smoother picture. The total
179 average will not change, but the worst value will
180 be heavily influenced by this value.
181
182
183
184
185 [misc]
186
187 close_on_eof When reading from a dump file and using console or
188 daemon UI, this variable is used to determine what
189 action has to be done on EOF. It is a boolean
190 value. If set to 1 ettercap will close itself (use‐
191 ful in scripts). Otherwise the session will con‐
192 tinue waiting for user input.
193
194
195 store_profiles Ettercap collects in memory a profile for each host
196 it detects. Users and passwords are collected
197 there. If you want to run ettercap in background
198 logging all the traffic, you may want to disable
199 the collecting in memory to save system memory. Set
200 this option to 0 (zero) to disable profiles collec‐
201 tion. A value of 1 will enable collection for all
202 the hosts, 2 will collect only local hosts and 3
203 only remote hosts (a host is considered remote if
204 it does not belong to the netmask).
205
206
207 aggressive_dissectors
208 Some dissectors (such as SSH and HTTPS) need to
209 modify the payload of the packets in order to col‐
210 lect passwords and perform a decryption attack. If
211 you want to disable the "dangerous" dissectors all
212 together, set this value to 0.
213
214
215 skip_forwarded If you set this value to 0 you will sniff even
216 packets forwarded by ettercap or by the kernel. It
217 will generate packets duplicates in conjuction with
218 arp mitm method (for example). It could be useful
219 while running ettercap in unoffensive mode on a
220 host with more than one network interface (waiting
221 for the multiple-interface feature...)
222
223
224 checksum_warning If you set the value to 0 the messages about incor‐
225 rect checksums will not be displayed in the user
226 messages windows (nor logged to a file with -m).
227 Note that this option won't disable the check on
228 the packets, but only prevent the message to be
229 displayed (see below).
230
231
232 checksum_check This option is used to completely disable the check
233 on the checksum of the packets that ettercap
234 receives. The check on the packets is performed to
235 avoid ettercap spotting thru bad checsum packets
236 (see Phrack 60.12). If you disable the check, you
237 will be able to sniff even bad checksummed packet,
238 but you will be spotted if someone is searching for
239 you...
240
241
242
243 [dissectors]
244
245 protocol_name This value represents the port on which the proto‐
246 col dissector has to be bound. A value of 0 will
247 disable the dissector. The name of the variable is
248 the same of the protocol name. You can specify a
249 non standard port for each dissector as well as
250 multiple ports. The syntax for multiport selection
251 is the following: port1,port2,port3,...
252 NOTE: some dissectors are conditionally compiled .
253 This means that depending on the libraries found in
254 your system some dissectors will be enabled and
255 some others will not. By default etter.conf con‐
256 tains all supported dissectors. if you got a
257 "FATAL: Dissector "xxx" does not exists (etter.conf
258 line yy)" error, you have to comment out the yy
259 line in etter.conf.
260
261
262
263 [curses]
264
265 color You can customize the colors of the curses GUI.
266 Simply set a field to one of the following values
267 and look at the GUI aspect :)
268 Here is a list of values: 0 Black, 1 Red, 2 Green,
269 3 Yellow, 4 Blue, 5 Magenta, 6 Cyan, 7 White
270
271
272
273 [strings]
274
275 utf8_encoding specifies the encoding to be used while displaying
276 the packets in UTF-8 format. Use the `iconv
277 --list` command for a list of supported encodings.
278
279
280 remote_broswer This command is executed by the remote_browser
281 plugin each time it catches a good URL request into
282 an HTTP connection. The command should be able to
283 get 2 parameters:
284
285 %host the Host: tag in the HTTP header. Used to
286 create the full request into the browser.
287
288 %url The page requested inside the GET request.
289
290
291 redir_command_on You have to provide a valid command (or script) to
292 enable tcp redirection at kernel level in order to
293 be able to use SSL dissection. Your script should
294 be able to get 3 parameters:
295
296 %iface The network interface on which the rule must
297 be set
298
299 %port The source port of the packets to be redi‐
300 rected (443 for HTTPS, 993 for imaps, etc).
301
302 %rport The internally bound port to which ettercap
303 listens for connections.
304 NOTE: this script is executed with an execve(), so you can't use pipes
305 or output redirection as if you were in a shell. We suggest you to make
306 a script if you need those commands.
307
308
309 redir_command_off This script is used to remove the redirect rules
310 applied by 'redir_command_on'. You should note
311 that this script is called atexit() and thus it has
312 not high privileges. You should provide a setuid
313 program or set ec_uid to 0 in order to be sure that
314 the script is executed successfully.
315
316
317
319 ettercap(8) ettercap_curses(8) ettercap_plugins(8) etterlog(8) etter‐
320 filter(8)
321
322ettercap NG-0.7.3 ETTER.CONF(5)