1ETTERLOG(8)                 System Manager's Manual                ETTERLOG(8)
2
3
4

NAME

6       etterlog NG-0.7.3 - Log analyzer for ettercap log files
7
8

SYNOPSIS

10       etterlog [OPTIONS] FILE
11
12
13

DESCRIPTION

15       Etterlog  is  the log analyzer for logfiles created by ettercap. It can
16       handle both compressed (created with  -Lc)  or  uncompressed  logfiles.
17       With  this tool you can manipulate binary files as you like and you can
18       print data in different ways all the times you want (in  contrast  with
19       the  previous  logging system which was used to dump in a single static
20       manner).
21       You will be able to dump traffic  from  only  one  connection  of  your
22       choice,  from  only one or more hosts, print data in hex, ascii, binary
23       etc...
24
25       TIP: All unuseful messages are printed to stderr, so you can  save  the
26       output from etterlog with the following command:
27
28       etterlog [options] logfile > outfile
29
30              Thus  you can dump for example a binary file from an ftp connec‐
31              tion if you print the data in binary mode, without  headers  and
32              selecting  only  the  ftp server as the source of the communica‐
33              tion.
34
35
36       GENERAL OPTIONS
37
38       -a, --analyze
39              Analyze a log file and display some interesting statistics.
40
41
42       -c, --connections
43              Parse the log file and print a table of unique connections (port
44              to  port).  This option can be used only on LOG_PACKET logfiles.
45              On LOG_INFO logfiles it is useless.
46
47              TIP: you can search for a particular host by using the following
48              command:
49
50              etterlog -c logfile.ecp | grep 10.0.0.1
51
52
53       -f, --filter <TARGET>
54              Print  only  packets  coming from or going to TARGET. The TARGET
55              specification is the same as in ettercap.
56              TARGET is in the form MAC/IPs/PORTs. Omitting one or more of its
57              parts will be equivalent to set them to ANY.
58
59              If  the log type is LOG_INFO the target is used to display hosts
60              matching the mac, ip and having the specified port(s) open.  For
61              example  the  target  //80  will  display only information about
62              hosts with a running web server.
63
64
65       -r, --reverse
66              Reverse the matching in the TARGET selection. It means  not(TAR‐
67              GET). All but the selected TARGET.
68
69
70       -t, --proto <PROTO>
71              Sniff only PROTO packets (default is TCP + UDP).  This option is
72              only useful in "simple" mode. If you start ettercap in  interac‐
73              tive mode both TCP and UDP are sniffed.
74              PROTO can be "tcp", "udp" or "all" for both.
75
76
77
78       -F, --filcon <CONNECTION>
79              Print packets belonging only to this CONNECTION.
80              CONNECTION is in the form PROTO:SOURCE:DEST. SOURCE and DEST are
81              in the form IP:PORT.
82
83              example:
84
85              etterlog -F TCP:10.0.0.23:3318:198.182.196.56:80
86
87
88       -s, --only-source
89              Display only packets that are sent by the source of the selected
90              CONNECTION.   This  option  makes sense only in conjunction with
91              the -F option.
92
93              TIP: if you want to save a file transferred in an  HTTP  or  FTP
94              connection, you can use the following command:
95
96              etterlog  -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp
97              > example.tar.gz
98
99
100       -d, --only-dest
101              Same as --only-source but it filters on the destination host.
102
103
104
105       -n, --no-headers
106              Do not print the header of each packet. This option is useful if
107              you  want  to  save a file in binary format (-B option). Without
108              the headers you can redirect the output to a file and  you  will
109              get the original stream.
110
111              NOTE:  the  time  stamp in the header is in the form: Thu Mar 27
112              23:03:31 2003 [169396], the value  in  the  square  brackets  is
113              expressed in microseconds
114
115
116       -m, --show-mac
117              In  the headers show also the mac addresses corresponding to the
118              ip addresses.
119
120
121       -k, --color
122              If used in conjunction with -F it displays the source  and  dest
123              of  the  connection  using  different  colors.  If  used  with a
124              LOG_INFO file it prints LAN hosts in green, REMOTE hosts in blue
125              and GATEWAYS in red.
126
127
128       -l, --only-local
129              Used displaying an INFO file, it displays information only about
130              local hosts.
131
132
133       -L, --only-remote
134              Used displaying an INFO file, it displays information only about
135              remote hosts.
136
137
138
139       SEARCH OPTIONS
140
141
142       -e, --regex <REGEX>
143              Display only packets matching the regex <REGEX>.
144              If this option is used agains a LOG_PACKET logfile, the regex is
145              executed on the payload of the packet. If the type is  LOG_INFO,
146              the regex is executed on all the fields of the host profile (OS,
147              banners, service and ethernet adapter).
148              NOTE: the regex is compiled with the REG_ICASE flag (case insen‐
149              sitive).
150
151
152       -u, --user <USER>
153              Display  information  about  this  user. The search is performed
154              over all the user/pass couples collected across all hosts.
155
156
157       -p, --passwords
158              Print only the collected account information for each host. This
159              prevents  the huge profile output. It can be used in conjunction
160              with the -u option to filter the users. An asterisk '*' used  in
161              front of an account represents a failed login attempt.
162
163
164       -i, --show-client
165              Show  the  client ip address when displaying the collected users
166              and passwords. It may be useful when ACLs are in place.
167
168
169       -I, --client <IP>
170              Show passwords only coming from a specific <IP>. This is  useful
171              to view all the usernames and passwords of a client.
172
173
174
175
176       EDITING OPTIONS
177
178
179       -C, --concat
180              Use this option to concatenate two (or more) files into one sin‐
181              gle file. This is useful if  you  have  collected  ettercap  log
182              files  from multiple sources and want to have an unified report.
183              The output file must be specified with the  -o  option  and  the
184              input files are listed as normal arguments.
185
186              example:
187              etterlog -C -o outfile input1 input2 input3
188
189
190       -o, --outfile <FILE>
191              specifies the output file for a concatenation.
192
193
194
195
196       VISUALIZATION METHOD
197
198
199       -B, --binary
200              Print  data  as  they are, in binary form. Useful to dump binary
201              data to a file (as described above).
202
203
204       -X, --hex
205              Print the packets in hex format.
206
207              example:
208
209              the string  "HTTP/1.1 304 Not Modified"  becomes:
210
211              0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1 304 Not
212              0010: 204d 6f64 6966 6965 64                    Modified
213
214
215
216       -A, --ascii
217              Print only "printable" characters, the others are  displayed  as
218              dots '.'
219
220
221       -T, --text
222              Print only the "printable" characters and skip the others.
223
224
225       -E, --ebcdic
226              Convert an EBCDIC text to ASCII.
227
228
229       -H, --html
230              Strip all html tags from the text. A tag is every string between
231              '<' and '>'.
232
233              example:
234
235              <title>This is the title</title>,  but  the  following  <string>
236              will not be displayed.
237
238              This is the title, but the following will not be displayed.
239
240
241       -U, --utf8 <encoding>
242              Print  the  packets  in  UTF-8  format. The <encoding> parameter
243              specifies the encoding to be used while performing  the  conver‐
244              sion.  Use  the  `iconv  --list` command to obtain a list of all
245              supported encodings.
246
247
248       -Z, --zero
249              Print always the void string. i.e. print only header information
250              and no packet content will be printed.
251
252
253       -x, --xml
254              Print the host information in xml form, so you can parse it with
255              your favourite program.
256
257              The DTD associated with the xml output is in share/etterlog.dtd
258
259
260       STANDARD OPTIONS
261
262       -v, --version
263              Print the version and exit.
264
265
266       -h, --help
267              Print the help screen with a  short  summary  of  the  available
268              options.
269
270
271
272

EXAMPLES

274       Here are some examples of using etterlog.
275
276       etterlog -k -l dump.eci
277
278              Displays information about local hosts in different colors.
279
280
281       etterlog -X dump.ecp
282
283              Prints packets in HEX mode with full headers.
284
285
286       etterlog -c dump.ecp
287
288              Displays the list of connections logged in the file.
289
290
291       etterlog -Akn -F TCP:10.0.0.1:13423:213.203.143.52:6666 dump.ecp
292
293              Displays the IRC traffic made by 10.0.0.1 in ASCII mode, without
294              headers information and in colored mode.
295
296
297       etterlog -H -t tcp -f //80 dump.ecp
298
299              Dumps all HTTP traffic and strips html tags.
300
301
302       etterlog -Z -r -f /10.0.0.2/22 dump.ecp
303
304              Displays only the headers of all connections except ssh on  host
305              10.0.0.2
306
307
308       etterlog -A -e 'user' -f //110 dump.ecp
309
310              Displays  only  POP  packets  containing the 'user' regexp (case
311              insensitive).
312
313
314       etterlog -u root dump.eci
315
316              Displays information about all the accounts of the user 'root'.
317
318
319       etterlog -e Apache dump.eci
320
321              Displays information about all the hosts running 'Apache'.
322
323
324       etterlog -e Linux dump.eci
325
326              Displays information about all the hosts with the 'Linux'  oper‐
327              ating system.
328
329
330       etterlog -t tcp -f //110 dump.eci
331
332              Displays  information  about all the hosts with the tcp port 110
333              open.
334
335
336       etterlog -t udp dump.eci
337
338              Displays information about all the hosts with at least  one  UDP
339              port open.
340
341
342       etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp > exam‐
343       ple.tar.gz
344
345              Dumps in binary form the data sent by  10.0.0.1  over  the  data
346              port  of  FTP.  Since  the headers are omitted, you will get the
347              file as it was.
348
349
350
351

AUTHORS

353       Alberto Ornaghi (ALoR) <alor@users.sf.net>
354       Marco Valleri (NaGA) <naga@antifork.org>
355
356
357
358

SEE ALSO

360       ettercap(8)  etterfilter(8)  etter.conf(5)  ettercap_curses(8)   etter‐
361       cap_plugins(8)
362
363ettercap NG-0.7.3                                                  ETTERLOG(8)
Impressum