1ETTERCAP-CURSES(8) System Manager's Manual ETTERCAP-CURSES(8)
2
6 ettercap - Man page for the Ncurses GUI.
7
10 The curses GUI is quite simple and intuitive.
11 It is menu-driven. Every flag or function can be modified/called
12 through the upper menu. All user messages are printed in the bottom
13 window. If you want to see the old messages, you can scroll the window
14 buffer by pressing the UP, DOWN, PPAGE, NPAGE keys. The middle part is
15 used to display information or dialogs for the user.
16 The menus can be opened by pressing the relative hotkey. For the menus
18 the hotkey is represented by the uppercase initial letter of the title
19 (e.g. 'S' for Sniffing, 'T' for Targets). The functions within a menu
20 can be called by pressing the hotkey depicted near the function name on
21 the right. Hotkeys prefixed with 'C-' are to be used in conjunction
22 with the CTRL key (e.g. 'C-f' means CTRL+f).
23 You can switch the focus between the objects on the screen by pressing
25 the TAB key or by clicking on it with the mouse (if you are running
26 ettercap within an xterm). Mouse events are supported only through the
27 xterm. You can use the mouse to select objects, open a menu, choose a
28 function, scroll the elevators for the scrolling windows, etc etc.
29 When you open multiple windows in the middle part, they will overlap.
31 Use the TAB key to switch between them. Use CTRL+Q to close the focused
32 window.
33 You can also use CTRL+Q to close the input dialog if you want to cancel
34 the requested input. (i.e. you have selected the wrong function and you
35 want to go back).
36 To have a quick help on the shortcuts you can use against a particular
38 window press the SPACE key. A help window will be displayed with a list
39 of shortcuts that can be used. If the window does not appear, no short‐
40 cuts are available.
41
45 To use the ncurses GUI you have to:
46 - compile ettercap with ncurses support (obviously)
48 - run it with the -C flag
49 Passing the -C flag is sufficient, but if you want you can pass other
51 flags that will be automatically set for the ncurses GUI. You will be
52 able to override them using the menu to change the options.
53
57 As soon as ettercap is launched with the Ncurses GUI, you will be
58 prompted with multiple choices. The first screen lets you select if you
59 want to open a pcap file or dump the sniffed traffic to a file, if you
60 want unified sniffing or bridged one, permits you to set a pcap file on
61 the captured traffic and enables you to log all the sniffed data.
62 Once you have selected a sniffing method (from file, unified or
64 bridged) this screen will not be reachable anymore. The only way is to
65 restart ettercap.
66 Let's analyze each menu in the start screen:
69 File
72 Open...
74 Open a pcap file and analyze it. All the functionalities
75 available for live sniffing are in place except for those
76 sending or forwarding packets (mitm attacks and so
77 on...).
78 Dump to file...
80 All the traffic sniffed by the live capture will be
81 dumped to that file. The filters, not the targets, have
82 effects on this file, as all the packets received by pcap
83 will be dumped. The only way to not dump a certain packet
84 is to set a proper pcap filter (see below).
85 Exit
87 Exits from ettercap and returns to the command prompt.
88 Sniff
93 Unified sniffing...
95 Choosing this function you will be prompted to select the
96 network interface to be used for sniffing. The first up
97 and running interface is suggested in the input box. For
98 an explanation of what unified sniffing is, refer to
99 ettercap(8).
100 TIP: if you use the 'u' hotkey, this step will be skipped
101 and the default interface is automatically selected.
102 Bridged sniffing...
104 After selecting the two interfaces to be used, you will
105 enter the Bridged sniffing mode. For an explanation of
106 what bridged sniffing is, refer to ettercap(8).
107 Set pcap filter...
109 Here you can insert a tcpdump-like filter for the captur‐
110 ing process.
111 IMPORTANT: if you manage to use a mitm attack, remember
112 that if ettercap does not see a packet, it will NOT be
113 forwarded. So be sure of what you are doing by setting a
114 pcap filter.
115 Options
119 Unoffensive
121 This enable/disable the unoffensive flag. The asterisk
122 '*' means "the option is enabled". Otherwise the option
123 is not enabled.
124 Promisc mode
126 Enable/disable the promisc mode for the live capture on a
127 network interface. This is an "asterisk-option" as the
128 unoffensive one.
129 Set netmask
131 Use the specified netmask instead of the one associated
132 with the current iface. This option is useful if you have
133 the NIC with an associated netmask of class B and you
134 want to scan (with the arp scan) only a C class.
135
140 Once you have selected an offline sniffing or a live capture, the upper
141 menu is modified and you can start to do the interesting things...
142 Some of the following menu are only available in live capture.
143 Start
147 Start sniffing
149 Starts the sniffing process depending on what you have
150 selected on startup (live or from file)
151 Stop sniffing
153 Stops the sniffing thread.
154 Exit
156 Returns to your favourite shell ;)
157 Targets
162 Current Targets
164 Displays a list of hosts in each TARGET. You can selec‐
165 tively remove a host by selecting it and press 'd' or add
166 a new host pressing 'a'. To switch between the two lists,
167 use the ARROWS keys.
168 Select TARGET(s)
170 Lets you select the TARGET(s) as explained in etter‐
171 cap(8). The syntax is the same as for the command line
172 specification.
173 Protocol...
175 You can choose to sniff only TCP, only UDP or both (ALL).
176 Reverse matching
178 Reverse the matching of a packet. It is equivalent to a
179 NOT before the target specification.
180 Wipe Targets
182 Restores both TARGETS to ANY/ANY/ANY
183 Hosts
187 Hosts list
189 Displays the list of hosts detected through an ARP scan
190 or converted from the passive profiles. This list is used
191 by MITM attacks when the ANY target is selected, so if
192 you want to exclude a host from the attack, simply delete
193 it from the list.
194 You can remove a host from the list by pressing 'd', add
195 it to TARGET1 by pressing '1' or add it to TARGET2 by
196 pressing '2'.
197 Scan for hosts
199 Perform the ARP scan of the netmask if no TARGETS are
200 selected. If TARGETS was specified it only scans for
201 those hosts.
202 Load from file...
204 Loads the hosts list from a file previously saved with
205 "save to file" or hand crafted.
206 Save to file...
208 Save the current hosts list to a file.
209 View
213 Connections
215 Displays the connection list. To see detailed information
216 about a connection press 'd', or press 'k' to kill it. To
217 see the traffic for a specific connection, select it and
218 press enter. Once the two-panel interface is displayed
219 you can move the focus with the arrow keys. Press 'j' to
220 switch between joined and split visualization. Press 'k'
221 to kill the connection. Press 'y' to inject interactively
222 and 'Y' to inject a file. Note that it is important which
223 panel has the focus as the injected data will be sent to
224 that address.
225 HINT: connections marked with an asterisk contain
226 account(s) information.
227 Profiles
229 Diplays the passive profile hosts list. Selecting a host
230 will display the relative details (including account with
231 user and pass for that host).
232 You can convert the passive profile list into the hosts
233 list by pressing 'c'. To purge remote hosts, press 'l'.
234 To purge local hosts, press 'r'. You can also dump the
235 current profile to a file by pressing 'd'; the dumped
236 file can be opened with etterlog(8).
237 HINT: profiles marked with an asterisk contain account(s)
238 information.
239 Statistics
241 Displays some statistics about the sniffing process.
242 Resolve IP addresses
244 Enables DNS resolution for all the sniffed IP address.
245 CAUTION: this will extremely slow down ettercap. By the
246 way the passive dns resolution is always active. It
247 sniffs dns replies and stores them in a cache. If an ip
248 address is present in that cache, it will be automati‐
249 cally resolved. It is dns resolution for free... ;)
250 Visualization method
252 Change the visualization method for the sniffed data.
253 Available methods: ascii, hex, ebcdic, text, html.
254 Visualization regex
256 Set the visualization regular expression. Only packets
257 matching this regex will be displayed in the connection
258 data window.
259 Set the WiFi key
261 Set the WiFi key used to decrypt WiFi encrypted packets.
262 See ettercap(8) for the format of the key.
263 Mitm
267 [...] For each type of attack, a menu entry is displayed. Sim‐
269 ply select the attack you want and fill the arguments
270 when asked. You can activate more than one attack at a
271 time.
272 Stop mitm attack(s)
274 Stops all the mitm attacks currently active.
275 Filters
279 Load a filter...
281 Load a precompiled filter file. The file must be compiled
282 with etterfilter(8) before it can be loaded.
283 Stop filtering
285 Unload the filter and stop filtering the connections.
286 Logging
290 Log all packets and infos...
292 Given a file name, it will create two files: filename.eci
293 (for information about hosts) and filename.ecp (for all
294 the interesting packets). This is the same as the -L
295 option.
296 Log only infos...
298 This is used only to sniff information about hosts (same
299 as the -l option).
300 Stop logging info
302 Come on... it is self explanatory.
303 Log user messages...
305 Will log all the messages appearing in the bottom window
306 (same as -m option).
307 Compressed file
309 Asterisk-option to control whether or not the logfile
310 should be compressed.
311 Plugins
315 Manage the plugins
317 Opens the plugin management window. You can select a
318 plugin and activate it by pressing 'enter'. Plugins
319 already active can be recognized by the [1] symbol
320 instead of [0]. If you select an active plugin, it will
321 be deactivated.
322 Load a plugin...
324 You can load a plugin file that is not in the default
325 search path. (remember that you can browse directories
326 with EC_UID permissions).
327
331 Alberto Ornaghi (ALoR) <alor@users.sf.net>
332 Marco Valleri (NaGA) <naga@antifork.org>
333
335 Emilio Escobar (exfil) <eescobar@gmail.com>
336 Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
337
339 Mike Ryan (justfalter) <falter@gmail.com>
340 Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
341 Antonio Collarino (sniper) <anto.collarino@gmail.com>
342 Ryan Linn <sussuro@happypacket.net>
343 Jacob Baines <baines.jacob@gmail.com>
344
346 Dhiru Kholia (kholia) <dhiru@openwall.com>
347 Alexander Koeppe (koeppea) <format_c@online.de>
348 Martin Bos (PureHate) <purehate@backtrack.com>
349 Enrique Sanchez
350 Gisle Vanem <giva@bgnett.no>
351 Johannes Bauer <JohannesBauer@gmx.de>
352 Daten (Bryan Schneiders) <daten@dnetc.org>
353
357 ettercap(8) ettercap_plugins(8) etterlog(8) etterfilter(8)
358 etter.conf(5) ettercap-pkexec(8)
359ettercap 0.8.2 ETTERCAP-CURSES(8)