1ETTERLOG(8) System Manager's Manual ETTERLOG(8)
2
3
4
6 etterlog - Log analyzer for ettercap log files
7
8
10 etterlog [OPTIONS] FILE
11
12
13
15 Etterlog is the log analyzer for logfiles created by ettercap. It can
16 handle both compressed (created with -Lc) or uncompressed logfiles.
17 With this tool you can manipulate binary files as you like and you can
18 print data in different ways all the times you want (in contrast with
19 the previous logging system which was used to dump in a single static
20 manner).
21 You will be able to dump traffic from only one connection of your
22 choice, from only one or more hosts, print data in hex, ascii, binary
23 etc...
24
25 TIP: All non-useful messages are printed to stderr, so you can save the
26 output from etterlog with the following command:
27
28 etterlog [options] logfile > outfile
29
30 Thus you can dump for example a binary file from an ftp connec‐
31 tion if you print the data in binary mode, without headers and
32 selecting only the ftp server as the source of the communica‐
33 tion.
34
35
36 GENERAL OPTIONS
37
38 -a, --analyze
39 Analyze a log file and display some interesting statistics.
40
41
42 -c, --connections
43 Parse the log file and print a table of unique connections (port
44 to port). This option can be used only on LOG_PACKET logfiles.
45 On LOG_INFO logfiles it is useless.
46
47 TIP: you can search for a particular host by using the following
48 command:
49
50 etterlog -c logfile.ecp | grep 10.0.0.1
51
52
53 -f, --filter <TARGET>
54 Print only packets coming from or going to TARGET. The TARGET
55 specification is the same as in ettercap.
56 TARGET is in the form MAC/IPs/PORTs. With IPv6 support enabled,
57 TARGET is in the form MAC/IPs/IPv6/PORTs. Omitting one or more
58 of its parts will be equivalent to set them to ANY. IPs and IPv6
59 will be treated as one part so that it's only set to ANY if both
60 IPs and IPv6 is omitted. This concludes in a result most users
61 would expect.
62
63
64 If the log type is LOG_INFO the target is used to display hosts
65 matching the mac, ip and having the specified port(s) open. For
66 example the target //80 will display only information about
67 hosts with a running web server.
68
69
70 -r, --reverse
71 Reverse the matching in the TARGET selection. It means not(TAR‐
72 GET). All but the selected TARGET.
73
74
75 -t, --proto <PROTO>
76 Sniff only PROTO packets (default is TCP + UDP). This option is
77 only useful in "simple" mode. If you start ettercap in interac‐
78 tive mode both TCP and UDP are sniffed.
79 PROTO can be "tcp", "udp" or "all" for both.
80
81
82
83 -F, --filcon <CONNECTION>
84 Print packets belonging only to this CONNECTION.
85 CONNECTION is in the form PROTO:SOURCE:DEST. SOURCE and DEST are
86 in the form IP:PORT.
87
88 example:
89
90 etterlog -F TCP:10.0.0.23:3318:198.182.196.56:80
91
92
93 -s, --only-source
94 Display only packets that are sent by the source of the selected
95 CONNECTION. This option makes sense only in conjunction with
96 the -F option.
97
98 TIP: if you want to save a file transferred in an HTTP or FTP
99 connection, you can use the following command:
100
101 etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp
102 > example.tar.gz
103
104
105 -d, --only-dest
106 Same as --only-source but it filters on the destination host.
107
108
109
110 -n, --no-headers
111 Do not print the header of each packet. This option is useful if
112 you want to save a file in binary format (-B option). Without
113 the headers you can redirect the output to a file and you will
114 get the original stream.
115
116 NOTE: the time stamp in the header is in the form: Thu Mar 27
117 23:03:31 2003 [169396], the value in the square brackets is
118 expressed in microseconds
119
120
121 -m, --show-mac
122 In the headers show also the mac addresses corresponding to the
123 ip addresses.
124
125
126 -k, --color
127 If used in conjunction with -F it displays the source and dest
128 of the connection using different colors. If used with a
129 LOG_INFO file it prints LAN hosts in green, REMOTE hosts in blue
130 and GATEWAYS in red.
131
132
133 -l, --only-local
134 Used displaying an INFO file, it displays information only about
135 local hosts.
136
137
138 -L, --only-remote
139 Used displaying an INFO file, it displays information only about
140 remote hosts.
141
142
143
144 SEARCH OPTIONS
145
146
147 -e, --regex <REGEX>
148 Display only packets matching the regex <REGEX>.
149 If this option is used against a LOG_PACKET logfile, the regex
150 is executed on the payload of the packet. If the type is
151 LOG_INFO, the regex is executed on all the fields of the host
152 profile (OS, banners, service and ethernet adapter).
153 NOTE: the regex is compiled with the REG_ICASE flag (case insen‐
154 sitive).
155
156
157 -u, --user <USER>
158 Display information about this user. The search is performed
159 over all the user/pass couples collected across all hosts.
160
161
162 -p, --passwords
163 Print only the collected account information for each host. This
164 prevents the huge profile output. It can be used in conjunction
165 with the -u option to filter the users. An asterisk '*' used in
166 front of an account represents a failed login attempt.
167
168
169 -i, --show-client
170 Show the client ip address when displaying the collected users
171 and passwords. It may be useful when ACLs are in place.
172
173
174 -I, --client <IP>
175 Show passwords only coming from a specific <IP>. This is useful
176 to view all the usernames and passwords of a client.
177
178
179
180
181 EDITING OPTIONS
182
183
184 -C, --concat
185 Use this option to concatenate two (or more) files into one sin‐
186 gle file. This is useful if you have collected ettercap log
187 files from multiple sources and want to have an unified report.
188 The output file must be specified with the -o option and the
189 input files are listed as normal arguments.
190
191 example:
192 etterlog -C -o outfile input1 input2 input3
193
194
195 -o, --outfile <FILE>
196 specifies the output file for a concatenation.
197
198
199
200
201 VISUALIZATION METHOD
202
203
204 -B, --binary
205 Print data as they are, in binary form. Useful to dump binary
206 data to a file (as described above).
207
208
209 -X, --hex
210 Print the packets in hex format.
211
212 example:
213
214 the string "HTTP/1.1 304 Not Modified" becomes:
215
216 0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1 304 Not
217 0010: 204d 6f64 6966 6965 64 Modified
218
219
220
221 -A, --ascii
222 Print only "printable" characters, the others are displayed as
223 dots '.'
224
225
226 -T, --text
227 Print only the "printable" characters and skip the others.
228
229
230 -E, --ebcdic
231 Convert an EBCDIC text to ASCII.
232
233
234 -H, --html
235 Strip all html tags from the text. A tag is every string between
236 '<' and '>'.
237
238 example:
239
240 <title>This is the title</title>, but the following <string>
241 will not be displayed.
242
243 This is the title, but the following will not be displayed.
244
245
246 -U, --utf8 <encoding>
247 Print the packets in UTF-8 format. The <encoding> parameter
248 specifies the encoding to be used while performing the conver‐
249 sion. Use the `iconv --list` command to obtain a list of all
250 supported encodings.
251
252
253 -Z, --zero
254 Print always the void string. i.e. print only header information
255 and no packet content will be printed.
256
257
258 -x, --xml
259 Print the host information in xml form, so you can parse it with
260 your favourite program.
261
262 The DTD associated with the xml output is in share/etterlog.dtd
263
264
265 STANDARD OPTIONS
266
267 -v, --version
268 Print the version and exit.
269
270
271 -h, --help
272 Print the help screen with a short summary of the available
273 options.
274
275
276
277
279 Here are some examples of using etterlog.
280
281 etterlog -k -l dump.eci
282
283 Displays information about local hosts in different colors.
284
285
286 etterlog -X dump.ecp
287
288 Prints packets in HEX mode with full headers.
289
290
291 etterlog -c dump.ecp
292
293 Displays the list of connections logged in the file.
294
295
296 etterlog -Akn -F TCP:10.0.0.1:13423:213.203.143.52:6666 dump.ecp
297
298 Displays the IRC traffic made by 10.0.0.1 in ASCII mode, without
299 headers information and in colored mode.
300
301
302 etterlog -H -t tcp -f //80 dump.ecp
303
304 Dumps all HTTP traffic and strips html tags.
305
306
307 etterlog -Z -r -f /10.0.0.2/22 dump.ecp
308
309 Displays only the headers of all connections except ssh on host
310 10.0.0.2
311
312
313 etterlog -A -e 'user' -f //110 dump.ecp
314
315 Displays only POP packets containing the 'user' regexp (case
316 insensitive).
317
318
319 etterlog -u root dump.eci
320
321 Displays information about all the accounts of the user 'root'.
322
323
324 etterlog -e Apache dump.eci
325
326 Displays information about all the hosts running 'Apache'.
327
328
329 etterlog -e Linux dump.eci
330
331 Displays information about all the hosts with the 'Linux' oper‐
332 ating system.
333
334
335 etterlog -t tcp -f //110 dump.eci
336
337 Displays information about all the hosts with the tcp port 110
338 open.
339
340
341 etterlog -t udp dump.eci
342
343 Displays information about all the hosts with at least one UDP
344 port open.
345
346
347 etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp > exam‐
348 ple.tar.gz
349
350 Dumps in binary form the data sent by 10.0.0.1 over the data
351 port of FTP. Since the headers are omitted, you will get the
352 file as it was.
353
354
355
356
358 Alberto Ornaghi (ALoR) <alor@users.sf.net>
359 Marco Valleri (NaGA) <naga@antifork.org>
360
362 Emilio Escobar (exfil) <eescobar@gmail.com>
363 Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
364
366 Mike Ryan (justfalter) <falter@gmail.com>
367 Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
368 Antonio Collarino (sniper) <anto.collarino@gmail.com>
369 Ryan Linn <sussuro@happypacket.net>
370 Jacob Baines <baines.jacob@gmail.com>
371
373 Dhiru Kholia (kholia) <dhiru@openwall.com>
374 Alexander Koeppe (koeppea) <format_c@online.de>
375 Martin Bos (PureHate) <purehate@backtrack.com>
376 Enrique Sanchez
377 Gisle Vanem <giva@bgnett.no>
378 Johannes Bauer <JohannesBauer@gmx.de>
379 Daten (Bryan Schneiders) <daten@dnetc.org>
380
381
382
383
385 ettercap(8) etterfilter(8) etter.conf(5) ettercap_curses(8) etter‐
386 cap_plugins(8) ettercap-pkexec(8)
387
388ettercap 0.8.3.1 ETTERLOG(8)