1ETTERLOG(8)                 System Manager's Manual                ETTERLOG(8)
2
3
4

NAME

6       etterlog - Log analyzer for ettercap log files
7
8

SYNOPSIS

10       etterlog [OPTIONS] FILE
11
12
13

DESCRIPTION

15       Etterlog  is  the log analyzer for logfiles created by ettercap. It can
16       handle both compressed (created with  -Lc)  or  uncompressed  logfiles.
17       With  this tool you can manipulate binary files as you like and you can
18       print data in different ways all the times you want (in  contrast  with
19       the  previous  logging system which was used to dump in a single static
20       manner).
21       You will be able to dump traffic  from  only  one  connection  of  your
22       choice,  from  only one or more hosts, print data in hex, ascii, binary
23       etc...
24
25       TIP: All non-useful messages are printed to stderr, so you can save the
26       output from etterlog with the following command:
27
28       etterlog [options] logfile > outfile
29
30              Thus  you can dump for example a binary file from an ftp connec‐
31              tion if you print the data in binary mode, without  headers  and
32              selecting  only  the  ftp server as the source of the communica‐
33              tion.
34
35
36       GENERAL OPTIONS
37
38       -a, --analyze
39              Analyze a log file and display some interesting statistics.
40
41
42       -c, --connections
43              Parse the log file and print a table of unique connections (port
44              to  port).  This option can be used only on LOG_PACKET logfiles.
45              On LOG_INFO logfiles it is useless.
46
47              TIP: you can search for a particular host by using the following
48              command:
49
50              etterlog -c logfile.ecp | grep 10.0.0.1
51
52
53       -f, --filter <TARGET>
54              Print  only  packets  coming from or going to TARGET. The TARGET
55              specification is the same as in ettercap.
56              TARGET is in the form MAC/IPs/PORTs. With IPv6 support  enabled,
57              TARGET  is  in the form MAC/IPs/IPv6/PORTs. Omitting one or more
58              of its parts will be equivalent to set them to ANY. IPs and IPv6
59              will be treated as one part so that it's only set to ANY if both
60              IPs and IPv6 is omitted. This concludes in a result  most  users
61              would expect.
62
63
64              If  the log type is LOG_INFO the target is used to display hosts
65              matching the mac, ip and having the specified port(s) open.  For
66              example  the  target  //80  will  display only information about
67              hosts with a running web server.
68
69
70       -r, --reverse
71              Reverse the matching in the TARGET selection. It means  not(TAR‐
72              GET). All but the selected TARGET.
73
74
75       -t, --proto <PROTO>
76              Sniff only PROTO packets (default is TCP + UDP).  This option is
77              only useful in "simple" mode. If you start ettercap in  interac‐
78              tive mode both TCP and UDP are sniffed.
79              PROTO can be "tcp", "udp" or "all" for both.
80
81
82
83       -F, --filcon <CONNECTION>
84              Print packets belonging only to this CONNECTION.
85              CONNECTION is in the form PROTO:SOURCE:DEST. SOURCE and DEST are
86              in the form IP:PORT.
87
88              example:
89
90              etterlog -F TCP:10.0.0.23:3318:198.182.196.56:80
91
92
93       -s, --only-source
94              Display only packets that are sent by the source of the selected
95              CONNECTION.   This  option  makes sense only in conjunction with
96              the -F option.
97
98              TIP: if you want to save a file transferred in an  HTTP  or  FTP
99              connection, you can use the following command:
100
101              etterlog  -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp
102              > example.tar.gz
103
104
105       -d, --only-dest
106              Same as --only-source but it filters on the destination host.
107
108
109
110       -n, --no-headers
111              Do not print the header of each packet. This option is useful if
112              you  want  to  save a file in binary format (-B option). Without
113              the headers you can redirect the output to a file and  you  will
114              get the original stream.
115
116              NOTE:  the  time  stamp in the header is in the form: Thu Mar 27
117              23:03:31 2003 [169396], the value  in  the  square  brackets  is
118              expressed in microseconds
119
120
121       -m, --show-mac
122              In  the headers show also the mac addresses corresponding to the
123              ip addresses.
124
125
126       -k, --color
127              If used in conjunction with -F it displays the source  and  dest
128              of  the  connection  using  different  colors.  If  used  with a
129              LOG_INFO file it prints LAN hosts in green, REMOTE hosts in blue
130              and GATEWAYS in red.
131
132
133       -l, --only-local
134              Used displaying an INFO file, it displays information only about
135              local hosts.
136
137
138       -L, --only-remote
139              Used displaying an INFO file, it displays information only about
140              remote hosts.
141
142
143
144       SEARCH OPTIONS
145
146
147       -e, --regex <REGEX>
148              Display only packets matching the regex <REGEX>.
149              If  this  option is used against a LOG_PACKET logfile, the regex
150              is executed on the  payload  of  the  packet.  If  the  type  is
151              LOG_INFO,  the  regex  is executed on all the fields of the host
152              profile (OS, banners, service and ethernet adapter).
153              NOTE: the regex is compiled with the REG_ICASE flag (case insen‐
154              sitive).
155
156
157       -u, --user <USER>
158              Display  information  about  this  user. The search is performed
159              over all the user/pass couples collected across all hosts.
160
161
162       -p, --passwords
163              Print only the collected account information for each host. This
164              prevents  the huge profile output. It can be used in conjunction
165              with the -u option to filter the users. An asterisk '*' used  in
166              front of an account represents a failed login attempt.
167
168
169       -i, --show-client
170              Show  the  client ip address when displaying the collected users
171              and passwords. It may be useful when ACLs are in place.
172
173
174       -I, --client <IP>
175              Show passwords only coming from a specific <IP>. This is  useful
176              to view all the usernames and passwords of a client.
177
178
179
180
181       EDITING OPTIONS
182
183
184       -C, --concat
185              Use this option to concatenate two (or more) files into one sin‐
186              gle file. This is useful if  you  have  collected  ettercap  log
187              files  from multiple sources and want to have an unified report.
188              The output file must be specified with the  -o  option  and  the
189              input files are listed as normal arguments.
190
191              example:
192              etterlog -C -o outfile input1 input2 input3
193
194
195       -o, --outfile <FILE>
196              specifies the output file for a concatenation.
197
198
199
200
201       VISUALIZATION METHOD
202
203
204       -B, --binary
205              Print  data  as  they are, in binary form. Useful to dump binary
206              data to a file (as described above).
207
208
209       -X, --hex
210              Print the packets in hex format.
211
212              example:
213
214              the string  "HTTP/1.1 304 Not Modified"  becomes:
215
216              0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74  HTTP/1.1 304 Not
217              0010: 204d 6f64 6966 6965 64                    Modified
218
219
220
221       -A, --ascii
222              Print only "printable" characters, the others are  displayed  as
223              dots '.'
224
225
226       -T, --text
227              Print only the "printable" characters and skip the others.
228
229
230       -E, --ebcdic
231              Convert an EBCDIC text to ASCII.
232
233
234       -H, --html
235              Strip all html tags from the text. A tag is every string between
236              '<' and '>'.
237
238              example:
239
240              <title>This is the title</title>,  but  the  following  <string>
241              will not be displayed.
242
243              This is the title, but the following will not be displayed.
244
245
246       -U, --utf8 <encoding>
247              Print  the  packets  in  UTF-8  format. The <encoding> parameter
248              specifies the encoding to be used while performing  the  conver‐
249              sion.  Use  the  `iconv  --list` command to obtain a list of all
250              supported encodings.
251
252
253       -Z, --zero
254              Print always the void string. i.e. print only header information
255              and no packet content will be printed.
256
257
258       -x, --xml
259              Print the host information in xml form, so you can parse it with
260              your favourite program.
261
262              The DTD associated with the xml output is in share/etterlog.dtd
263
264
265       STANDARD OPTIONS
266
267       -v, --version
268              Print the version and exit.
269
270
271       -h, --help
272              Print the help screen with a  short  summary  of  the  available
273              options.
274
275
276
277

EXAMPLES

279       Here are some examples of using etterlog.
280
281       etterlog -k -l dump.eci
282
283              Displays information about local hosts in different colors.
284
285
286       etterlog -X dump.ecp
287
288              Prints packets in HEX mode with full headers.
289
290
291       etterlog -c dump.ecp
292
293              Displays the list of connections logged in the file.
294
295
296       etterlog -Akn -F TCP:10.0.0.1:13423:213.203.143.52:6666 dump.ecp
297
298              Displays the IRC traffic made by 10.0.0.1 in ASCII mode, without
299              headers information and in colored mode.
300
301
302       etterlog -H -t tcp -f //80 dump.ecp
303
304              Dumps all HTTP traffic and strips html tags.
305
306
307       etterlog -Z -r -f /10.0.0.2/22 dump.ecp
308
309              Displays only the headers of all connections except ssh on  host
310              10.0.0.2
311
312
313       etterlog -A -e 'user' -f //110 dump.ecp
314
315              Displays  only  POP  packets  containing the 'user' regexp (case
316              insensitive).
317
318
319       etterlog -u root dump.eci
320
321              Displays information about all the accounts of the user 'root'.
322
323
324       etterlog -e Apache dump.eci
325
326              Displays information about all the hosts running 'Apache'.
327
328
329       etterlog -e Linux dump.eci
330
331              Displays information about all the hosts with the 'Linux'  oper‐
332              ating system.
333
334
335       etterlog -t tcp -f //110 dump.eci
336
337              Displays  information  about all the hosts with the tcp port 110
338              open.
339
340
341       etterlog -t udp dump.eci
342
343              Displays information about all the hosts with at least  one  UDP
344              port open.
345
346
347       etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp > exam‐
348       ple.tar.gz
349
350              Dumps in binary form the data sent by  10.0.0.1  over  the  data
351              port  of  FTP.  Since  the headers are omitted, you will get the
352              file as it was.
353
354
355
356

ORIGINAL AUTHORS

358       Alberto Ornaghi (ALoR) <alor@users.sf.net>
359       Marco Valleri (NaGA) <naga@antifork.org>
360

PROJECT STEWARDS

362       Emilio Escobar (exfil)  <eescobar@gmail.com>
363       Eric Milam (Brav0Hax)  <jbrav.hax@gmail.com>
364

OFFICIAL DEVELOPERS

366       Mike Ryan (justfalter)  <falter@gmail.com>
367       Gianfranco Costamagna (LocutusOfBorg)  <costamagnagianfranco@yahoo.it>
368       Antonio Collarino (sniper)  <anto.collarino@gmail.com>
369       Ryan Linn   <sussuro@happypacket.net>
370       Jacob Baines   <baines.jacob@gmail.com>
371

CONTRIBUTORS

373       Dhiru Kholia (kholia)  <dhiru@openwall.com>
374       Alexander Koeppe (koeppea)  <format_c@online.de>
375       Martin Bos (PureHate)  <purehate@backtrack.com>
376       Enrique Sanchez
377       Gisle Vanem  <giva@bgnett.no>
378       Johannes Bauer  <JohannesBauer@gmx.de>
379       Daten (Bryan Schneiders)  <daten@dnetc.org>
380
381
382
383

SEE ALSO

385       ettercap(8)  etterfilter(8)  etter.conf(5)  ettercap_curses(8)   etter‐
386       cap_plugins(8) ettercap-pkexec(8)
387
388ettercap 0.8.3.1                                                   ETTERLOG(8)
Impressum