14 mayo 2016

Manual Ettercap en Español [ En Proceso ]

En general ettercap [OPTIONS] [TARGET1] [TARGET2]

Elegir un Objetivo en Ettercap


No hay un concepto de ORIGEN o DESTINO. Se pretende filtrar el tráfico que transcurre entre los dos objetivos y viceversa (Si la conexión es bidireccional).
TARGET es de la forma MAC/IPs/PORTs.

Si quieres puedes omitir cada una de las partes que representan un ANY en esa parte.


"//80" significa ANY dirección MAC, ANY ip y ONLY port 80 

"/10.0.0.1/" signfica ANY dirección MAC, ONLY ip 10.0.0.1 and ANY port 

MAC debe de ser única y de la forma 00:11:22:33:44:55 

IPs es un rango de IP. Puedes especificar el rango con - y una sola ip con una , (coma). También puedes usar el ; (punto y coma) para indicar diferentes direcciones IP


"10.0.0.1-5;10.0.1.33" sería el rango de 10.0.0.1 al 10.0.0.5 y luego la IP 10.0.1.33

PORTs es un rango de puertos. Puedes especificar rango con - y un solo puerto con ,

"20-25,80,110" serían los puertos 20, 21, 22, 23, 24, 25, 80 and 110 


Puedes invertir los Objetivos con la opción -R . Si quieres sniffar TODO el tráfico pero el que sale y entra 10.0.0.1 puedes especificar “./ettercap -R /10.0.0.1/“

 Los Objetivos también están involucrados en el escaneo inicial de la red. Puedes usarlos para restringir el escaneo solo a una subred de los hosts con esa netmask. El resultado de la fusión entre los dos objetivos será escaneado. Recuerda que no especificar un objetivo significa “no target” pero especificando “//“ significa todos los hosts de la subred.


Opciones Ettercap:


Opciones de Sniffing y Ataques:

  -M, --mitm <METHOD:ARGS>    ataque man in the middle

  -o, --only-mitm             no hace sniffing, solo mite

  -B, --bridge <IFACE>       usar bridged sniff (necesitamos 2 interfaces de red)  

si fuéramos por defecto la pasarela de alguien y tenemos dos interfaces de red pasando nuestro trafico por ellas seleccionaríamos la opción "Bridged sniffing..."

  -p, --nopromisc             no pone la interfaz de red en modo promiscuo

  -u, --unoffensive           no envía paquetes

  -r, --read <file>            lee datos de un fichero de captura (pcap) <file>

  -f, --pcapfilter <string>   selecciona el filtro pcap <string> 

  -R, --reversed              cambia el orden de los TARGETS

  -t, --proto <proto>         sniff solo este protocolo (por defecto son todos) 

Tipo de interfaz de usuario:

  -T, --text                  usa interfaz en modo texto
       -q, --quiet                 no muestra los contenidos de los paquetes
       -s, --script <CMD>          emite estos comandos a la interfaz gráfica de usuario
  -C, --curses                usa la interfaz curses
  -G, --gtk                   usa GTK+ GUI
  -D, --daemon                convierte ettercap en un daemon (sin interfaz gráfica de usuario)

Opciones de Logs:

  -w, --write <file>        escribe todos los datos esnifados en un fichero <file>
  -L, --log <logfile>          registra todo el tráfico en <logfile>
  -l, --log-info <logfile>    log only passive infos to this <logfile>
  -m, --log-msg <logfile>     log all the messages to this <logfile>
  -c, --compress              use gzip compression on log files

Opciones de visualización:

  -d, --dns                   resolves ip addresses into hostnames
  -V, --visual <format>       set the visualization format
  -e, --regex <regex>         visualize only packets matching this regex
  -E, --ext-headers           print extended header for every pck
  -Q, --superquiet            do not display user and password

Opciones Generales:

  -i, --iface <iface>         use this network interface
  -I, --iflist                show all the network interfaces
  -n, --netmask <netmask>     force this <netmask> on iface
  -P, --plugin <plugin>       launch this <plugin>
  -F, --filter <file>         load the filter <file> (content filter)
  -z, --silent                do not perform the initial ARP scan
  -j, --load-hosts <file>     load the hosts list from <file>
  -k, --save-hosts <file>     save the hosts list to <file>
  -W, --wep-key <wkey>        use this wep key to decrypt wifi packets
  -a, --config <config>       use the alterative config file <config>

Opciones Estándar:

  -U, --update                updates the databases from ettercap website
  -v, --version               prints the version and exit
  -h, --help                  this help screen



Opciones Explicadas

Las opciones que tiene sentido juntas puedes generalmente ser combinadas. ettercap va a advertir sobre combinaciones de opciones no soportadas.


——>

Las opciones que tienen sentido juntas puedes ir generalmente combinadas. Ettercap va a advertir al usuario sobre combinaciones de opciones no soportadas.



 SNIFFING AND ATTACK OPTIONS

Ettercap tiene un nuevo método de sniffing unificado. Esto implica que ip_forwarding en el kernel esta siempre desactivado y el forwarfing esta hecho por ettercap. Cada paquete con su dirección mac de destino igual a la dirección mac del host y la dirección ip diferente de la ligada a la interfaz de red será enviada por ettercap



 Before forwarding them, ettercap can content filter, sniff, log or drop them. It does not matter how these packets are hijacked, ettercap will process them. You can even use external programs to hijack packet. .br Need break 
You have full control of what ettercap should receive. You can use the internal mitm attacks, set the interface in promisc mode, use plugins or use every method you want. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
IMPORTANT NOTE: if you run ettercap on a gateway, remember to re-enable the ip_forwarding after you have killed ettercap. Since ettercap drops its privileges, it cannot restore the ip_forwarding for you. .TP
-M, --mitm <METHOD:ARGS>
  MITM attack .br Need break 
This option will activate the man in the middle attack. The mimt attack is totally independent from the sniffing. The aim of the attack is to hijack packets and redirect them to ettercap. The sniffing engine will forward them if necessary. .br Need break 
You can choose the mitm attack that you prefer and also combine some of them to perform different attacks at the same time. .br Need break 
If a mitm method requires some parameters you can specify them after the colon. (e.g. -M dhcp:ip_pool,netmask,etc ) .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
The following mitm attacks are available: .RS .TP
tsb: The following mitm attacks are available:


arp ([remote],[oneway])
  This method implements the ARP poisoning mitm attack. ARP requests/replies are sent to the victims to poison their ARP cache. Once the cache has been poisoned the victims will send all packets to the attacker which, in turn, can modify and forward them to the real destination. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
In silent mode (-z option) only the first target is selected, if you want to poison multiple target in silent mode use the -j option to load a list from a file. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
You can select empty targets and they will be expanded as ’ANY’ (all the hosts in the LAN). The target list is joined with the hosts list (created by the arp scan) and the result is used to determine the victims of the attack. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
The parameter "remote" is optional and you have to specify it if you want to sniff remote ip address poisoning a gateway. Indeed if you specify a victim and the gw in the TARGETS, ettercap will sniff only connection between them, but to enable ettercap to sniff connections that pass thru the gw, you have to use this parameter. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
The parameter "oneway" will force ettercap to poison only from TARGET1 to TARGET2. Useful if you want to poison only the client and not the router (where an arp watcher can be in place). .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
the targets are: /10.0.0.1-5/ /10.0.0.15-20/ .br Need break 
and the host list is: 10.0.0.1 10.0.0.3 10.0.0.16 10.0.0.18 .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
the associations between the victims will be: .br Need break 
1 and 16, 1 and 18, 3 and 16, 3 and 18 .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
if the targets overlap each other, the association with identical ip address will be skipped. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: if you manage to poison a client, you have to set correct routing table in the kernel specifying the GW. If your routing table is incorrect, the poisoned clients will not be able to navigate the Internet.

.TP
icmp (MAC/IP)
  This attack implements ICMP redirection. It sends a spoofed icmp redirect message to the hosts in the lan pretending to be a better route for internet. All connections to internet will be redirected to the attacker which, in turn, will forward them to the real gateway. The resulting attack is a HALF-DUPLEX mitm. Only the client is redirected, since the gateway will not accept redirect messages for a directly connected network. BE SURE TO NOT USE FILTERS THAT MODIFY THE PAYLOAD LENGTH. you can use a filter to modify packets, but the length must be the same since the tcp sequences cannot be updated in both ways. .br Need break 
You have to pass as argument the MAC and the IP address of the real gateway for the lan. .br Need break 
Obviously you have to be able to sniff all the traffic. If you are on a switch you have to use a different mitm attack such as arp poisoning. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: to restrict the redirection to a given target, specify it as a TARGET .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
-M icmp:00:11:22:33:44:55/10.0.0.1 .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
will redirect all the connections that pass thru that gateway.

.TP
dhcp (ip_pool/netmask/dns)
  This attack implements DHCP spoofing. It pretends to be a DHCP server and tries to win the race condition with the real one to force the client to accept the attacker’s reply. This way ettercap is able to manipulate the GW parameter and hijack all the outgoing traffic 
Generated by the clients. .br Need break 
The resulting attack is a HALF-DUPLEX mitm. So be sure to use appropriate filters (see above in the ICMP section). .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
You have to pass the ip pool to be used, the netmask and the ip of the dns server. Since ettercap tries to win the race with the real server, it DOES NOT CHECK if the ip is already assigned. You have to specify an ip pool of FREE addresses to be used. The ip pool has the same form of the target specification. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
If the client sends a dhcp request (suggesting an ip address) ettercap will ack on that ip and modify only the gw option. If the client makes a dhcp discovery, ettercap will use the first unused ip address of the list you have specified on command line. Every discovery consumes an ip address. When the list is over, ettercap stops offering new ip addresses and will reply only to dhcp requests. .br Need break 
If you don’t want to offer any ip address, but only change the router information of dhcp request/ack, you can specify an empty ip_pool. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
BIG WARNING: if you specify a list of ip that are in use, you will mess your network! In general, use this attack carefully. It can really mess things up! When you stop the attack, all the victims will be still convinced that ettercap is the gateway until the lease expires... .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
-M dhcp:192.168.0.30,35,50-60/255.255.255.0/192.168.0.1 .br Need break 
reply to DHCP offer and request. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
-M dhcp:/255.255.255.0/192.168.0.1 .br Need break 
reply only to DHCP request.
.TP
port ([remote],[tree])
  This attack implements Port Stealing. This technique is useful to sniff in a switched environment when ARP poisoning is not effective (for example where static mapped ARPs are used). .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
It floods the LAN (based on port_steal_delay option in etter.conf) with ARP packets. If you don’t specify the "tree" option, the destination MAC address of each "stealing" packet is the same as the attacker’s one (other NICs won’t see these packets), the source MAC address will be one of the MACs in the host list. This process "steals" the switch port of each victim host in the host list. Using low delays, packets destined to "stolen" MAC addresses will be received by the attacker, winning the race condition with the real port owner. When the attacker receives packets for "stolen" hosts, it stops the flooding process and performs an ARP request for the real destination of the packet. When it receives the ARP reply it’s sure that the victim has "taken back" his port, so ettercap can re-send the packet to the destination as is. Now we can re-start the flooding process waiting for new packets. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
If you use the "tree" option, the destination MAC address of each stealing packet will be a bogus one, so these packets will be propagated to other switches (not only the directly connected one). This way you will be able to steal ports on other switches in the tree (if any), but you will generate a huge amount of traffic (according to port_steal_delay). The "remote" option has the same meaning as in "arp" mitm method. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
When you stop the attack, ettercap will send an ARP request to each stolen host giving back their switch ports. .br Need break 
You can perform either HALF or FULL DUPLEX mitm according to target selection. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: Use this mitm method only on ethernet switches. Use it carefully, it could produce performances loss or general havoc. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: You can NOT use this method in only-mitm mode (-o flag), because it hooks the sniffing engine, and you can’t use interactive data injection. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: It could be dangerous to use it in conjunction with other mitm methods. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: This mitm method doesn’t work on Solaris and Windows because of the lipcap and libnet design and the lack of certain ioctl(). (We will feature this method on these OSes if someone will request it...) .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
The targets are: /10.0.0.1/ /10.0.0.15/ .br Need break 
You will intercept and visualize traffic between 10.0.0.1 and 10.0.0.15, but you will receive all the traffic for 10.0.0.1 and 10.0.0.15 too. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
The target is: /10.0.0.1/ .br Need break 
You will intercept and visualize all the traffic for 10.0.0.1.
.Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4


.RE

.TP
-o, --only-mitm
  This options disables the sniffing thread and enables only the mitm attack. Useful if you want to use ettercap to perform mitm attacks and another sniffer (such as ethereal) to sniff the traffic. Keep in mind that the packets are not forwarded by ettercap. The kernel will be responsible for the forwarding. Remember to activate the "ip forwarding" feature in your kernel.
.TP
-f, --pcapfilter <FILTER>
  Set a capturing filter in the pcap library. The format is the same as tcpdump(1). Remember that this kind of filter will not sniff packets out of the wire, so if you want to perform a mitm attack, ettercap will not be able to forward hijacked packets. .br Need break 
These filters are useful to decrease the network load impact into ettercap decoding module.
.TP
-B, --bridge <IFACE>
  BRIDGED sniffing .br Need break 
You need two network interfaces. ettercap will forward form one to the other all the traffic it sees. It is useful for man in the middle at the physical layer. It is totally stealthy since it is passive and there is no way for an user to see the attacker. .br Need break 
You can content filter all the traffic as you were a transparent proxy for the "cable".

.TP
.B OFF LINE SNIFFING OFF LINE SNIFFING Consumed .TP 
-r, --read <FILE>
  OFF LINE sniffing .br Need break 
With this option enabled, ettercap will sniff packets from a pcap compatible file instead of capturing from the wire. .br Need break 
This is useful if you have a file dumped from tcpdump or ethereal and you want to make an analysis (search for passwords or passive fingerprint) on it. .br Need break 
Obviously you cannot use "active" sniffing (arp poisoning or bridging) while sniffing from a file. .TP
-w, --write <FILE>
  WRITE packet to a pcap file .br Need break 
This is useful if you have to use "active" sniffing (arp poison) on a switched LAN but you want to analyze the packets with tcpdump or ethereal. You can use this option to dump the packets to a file and then load it into your favourite application. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: dump file collect ALL the packets disregarding the TARGET. This is done because you may want to log even protocols not supported by ettercap, so you can analyze them with other tools. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
TIP: you can use the -w option in conjunction with the -r one. This way you will be able to filter the payload of the dumped packets or decrypt WEP-encrypted WiFi traffic and dump them to another file.

.TP
.B USER INTERFACES OPTIONS USER INTERFACES OPTIONS Consumed .TP 
-T, --text
  The text only interface, only printf ;) .br Need break 
It is quite interactive, press ’h’ in every moment to get help on what you can do.
.TP
-q, --quiet
  Quiet mode. It can be used only in conjunction with the console interface. It does not print packet content. It is useful if you want to convert pcap file to ettercap log files. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
ettercap -Tq -L dumpfile -r pcapfile
.TP
-s, --script <COMMANDS>
  With this option you can feed ettercap with command as they were typed on the keyboard by the user. This way you can use ettercap within your favourite scripts. There is a special command you can issue thru this command: s(x). this command will sleep for x seconds. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
ettercap -T -s ’lq’ will print the list of the hosts and exit .br Need break 
ettercap -T -s ’s(300)olqq’ will collect the infos for 5 minutes, print the list of the local profiles and exit

.TP
-C, --curses
  .br Ncurses based GUI. See ettercap_curses(8) for a full description.

.TP
-G, --gtk .br The nice GTK2 interface (thanks Daten...).

.TP
-D, --daemonize
  .br Daemonize ettercap. This option will detach ettercap from the current controlling terminal and set it as a daemon. You can combine this feature with the "log" option to log all the traffic in the background. If the daemon fails for any reason, it will create the file "./ettercap_daemonized.log" in which the error caught by ettercap will be reported. Furthermore, if you want to have a complete debug of the daemon process, you are encouraged to recompile ettercap in debug mode.


.TP
.B GENERAL OPTIONS GENERAL OPTIONS Consumed .TP 
-i, --iface <IFACE>
  Use this <IFACE> instead of the default one. The interface can be unconfigured (requires libnet >= 1.1.2), but in this case you cannot use MITM attacks and you should set the unoffensive flag.
.TP
-I, --iflist
  This option will print the list of all available network interfaces that can be used within ettercap. The option is particulary usefull under windows where the name of the interface is not so obvious as under *nix.
.TP
-n, --netmask <NETMASK>
  Use this <NETMASK> instead of the one associated with the current iface. This option is useful if you have the NIC with an associated netmask of class B and you want to scan (with the arp scan) only a class C.
.TP
-R, --reversed
  Reverse the matching in the TARGET selection. It means not(TARGET). All but the selected TARGET.
.TP
-t, --proto <PROTO>
  Sniff only PROTO packets (default is TCP + UDP). .br Need break 
This is useful if you want to select a port via the TARGET specification but you want to differentiate between tcp or udp. .br Need break 
PROTO can be "tcp", "udp" or "all" for both.
.TP
-z, --silent
  Do not perform the initial ARP scan of the LAN. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: you will not have the hosts list, so you can’t use the multipoison feature. you can only select two hosts for an ARP poisoning attack, specifying them through the TARGETs
.TP
-p, --nopromisc
  Usually, ettercap will put the interface in promisc mode to sniff all the traffic on the wire. If you want to sniff only your connections, use this flag to NOT enable the promisc mode.
.TP
-u, --unoffensive
  Every time ettercap starts, it disables ip forwarding in the kernel and begins to forward packets itself. This option prevent to do that, so the responsibility of ip forwarding is left to the kernel. .br Need break 
This options is useful if you want to run multiple ettercap instances. You will have one instance (the one without the -u option) forwarding the packets, and all the other instances doing their work without forwarding them. Otherwise you will get packet duplicates. .br Need break 
It also disables the internal creation of the sessions for each connection. It increases performances, but you will not be able to modify packets on the fly. .br Need break 
If you want to use a mitm attack you have to use a separate instance. .br Need break 
You have to use this option if the interface is unconfigured (without an ip address.) .br Need break 
This is also useful if you want to run ettercap on the gateway. It will not disable the forwarding and the gateway will correctly route the packets.
.TP
-j, --load-hosts <FILENAME>
  It can be used to load a hosts list from a file created by the -k option. (see below)
.TP
-k, --save-hosts <FILENAME>
  Saves the hosts list to a file. Useful when you have many hosts and you don’t want to do an ARP storm at startup any time you use ettercap. Simply use this options and dump the list to a file, then to load the information from it use the -j <filename> option.
.TP
-P, --plugin <PLUGIN>
  Run the selected PLUGIN. Many plugins need target specification, use TARGET as always. .br Need break 
In console mode (-C option), standalone plugins are executed and then the application exits. Hook plugins are activated and the normal sniffing is performed. .br Need break 
To have a list of the available external plugins use "list" (without quotes) as plugin name (e.g. ./ettercap -P list). .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: you can also activate plugins directly from the interfaces (always press "h" to get the inline help) .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
More detailed info about plugins and about how to write your own are found in the man page ettercap_plugin(8)
.TP
-F, --filter <FILE>
  Load the filter from the file <FILE>. The filter must be compiled with etterfilter(8). The utility will compile the filter script and produce an ettercap-compliant binary filter file. Read the etterfilter(8) man page for the list of functions you can use inside a filter script. .br Need break 
NOTE: these filters are different from those set with --pcapfilter. An ettercap filter is a content filter and can modify the payload of a packet before forwarding it. Pcap filter are used to capture only certain packets. .br Need break 
NOTE: you can use filters on pcapfile to modify them and save to another file, but in this case you have to pay attention on what you are doing, since ettercap will not recalculate checksums, nor split packets exceeding the mtu (snaplen) nor anything like that.
.TP
-W, --wep-key <KEY>
  You can specify a WEP key to decrypt WiFi packets. Only the packets decrypted successfully will be passed to the decoders stack, the others will be skipped with a message. .br Need break 
The parameter has the following syntax: N:T:KEY. Where N is the bit length of the wep key (64, 128 or 256), T is the type of the string (’s’ for string and ’p’ for passphrase). KEY can be a string or an escaped hex sequences. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
example: .br Need break 
--wep-key 128:p:secret .br Need break 
--wep-key 128:s:ettercapwep0 .br Need break 
--wep-key ’64:s:\x01\x02\x03\x04\x05’
.TP
-a, --config <CONFIG>
  Loads an alternative config file instead of the default in /etc/etter.conf. This is useful if you have many preconfigured files for different situations.


.TP
.B VISUALIZATION OPTIONS VISUALIZATION OPTIONS
  .TP
-e, --regex <REGEX>
  Handle only packets that match the regex. .br Need break 
This option is useful in conjunction with -L. It logs only packets that match the posix regex REGEX. .br Need break 
It impacts even the visualization of the sniffed packets. If it is set only packets matching the regex will be displayed.
.TP
-V, --visual <FORMAT>
  Use this option to set the visualization method for the packets to be displayed. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
FORMAT may be one of the following: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4

.RS .TP
hex Print the packets in hex format. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
the string "HTTP/1.1 304 Not Modified" becomes: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1 304 Not .br Need break 
0010: 204d 6f64 6966 6965 64 Modified 
.TP
ascii Print only "printable" characters, the others are displayed as dots ’.’
.TP
text Print only the "printable" characters and skip the others.
.TP
ebcdic Convert an EBCDIC text to ASCII.
.TP
html Strip all the html tags from the text. A tag is every string between < and >. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
<title>This is the title</title>, but the following <string> will not be displayed. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
This is the title, but the following will not be displayed.
.TP
utf8 Print the packets in UTF-8 format. The encoding used while performing the conversion is declared in the etter.conf(5) file.
.RE


.TP
-d, --dns Resolve ip addresses into hostnames. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: this may seriously slow down ettercap while logging passive information. Every time a new host is found, a query to the dns is performed. Ettercap keeps a cache for already resolved host to increase the speed, but new hosts need a new query and the dns may take up to 2 or 3 seconds to respond for an unknown host. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
HINT: ettercap collects the dns replies it sniffs in the resolution table, so even if you specify to not resolve the hostnames, some of them will be resolved because the reply was previously sniffed. think about it as a passive dns resolution for free... ;)
.TP
-E, --ext-headers
  Print extended headers for every displayed packet. (e.g. mac addresses)
.TP
-Q, --superquiet
  Super quiet mode. Do not print users and passwords as they are collected. Only store them in the profiles. It can be useful to run ettercap in text only mode but you don’t want to be flooded with dissectors messages. Useful when using plugins because the sniffing process is always active, it will print all the collected infos, with this option you can suppress these messages. .br Need break 
NOTE: this options automatically sets the -q option. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
example: .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
ettercap -TzQP finger /192.168.0.1/22



.TP
.B LOGGING OPTIONS LOGGING OPTIONS Consumed .TP 
-L, --log <LOGFILE>
  Log all the packets to binary files. These files can be parsed by etterlog(8) to extract human readable data. With this option, all packets sniffed by ettercap will be logged, together with all the passive info (host info + user & pass) it can collect. Given a LOGFILE, ettercap will create LOGFILE.ecp (for packets) and LOGFILE.eci (for the infos). .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: if you specify this option on command line you don’t have to take care of privileges since the log file is opened in the startup phase (with high privs). But if you enable the log option while ettercap is already started, you have to be in a directory where uid = 65535 or uid = EC_UID can write. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: the logfiles can be compressed with the deflate algorithm using the -c option.
.TP
-l, --log-info <LOGFILE>
  Very similar to -L but it logs only passive information + users and passwords for each host. The file will be named LOGFILE.eci
.TP
-m, --log-msg <LOGFILE>
  It stores in <LOGFILE> all the user messages printed by ettercap. This can be useful when you are using ettercap in daemon mode or if you want to track down all the messages. Indeed, some dissectors print messages but their information is not stored anywhere, so this is the only way to keep track of them.
.TP
-c, --compress
  Compress the logfile with the gzip algorithm while it is dumped. etterlog(8) is capable of handling both compressed and uncompressed log files.
.TP
-o, --only-local
  Stores profiles information belonging only to the LAN hosts. .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
NOTE: this option is effective only against the profiles collected in memory. While logging to a file ALL the hosts are logged. If you want to split them, use the related etterlog(8) option.
.TP
-O, --only-remote
  Stores profiles information belonging only to remote hosts.



.TP
.B STANDARD OPTIONS STANDARD OPTIONS Consumed .TP 
-U, --update
  Connects to the ettercap website (ettercap.sf.net) and retrieve the latest databases used by ettercap. .br Need break 
If you want only to check if an update is available, prepend the -z option. The order does matter: ettercap -zU .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
.B SECURITY NOTE: SECURITY NOTE: The updates are not signed so an attacker may poison your DNS server and force the updateNG.php to feed ettercap with fake databases. This can harm to your system since it can overwrite any file containing the string "Revision: ". 
.TP
-v, --version
  Print the version and exit.
.TP
-h, --help prints the help screen with a short summary of the available options.



.SH EXAMPLES

EXAMPLES
Here are some examples of using ettercap. .TP
tsb: Here are some examples of using ettercap.


.B ettercap -Tp ettercap -Tp
  .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Use the console interface and do not put the interface in promisc mode. You will see only your traffic.
.TP
.B ettercap -Tzq ettercap -Tzq
  .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Use the console interface, do not ARP scan the net and be quiet. The packet content will not be displayed, but user and passwords, as well as other messages, will be displayed.
.TP
.B ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/ ettercap -T -j /tmp/victims -M arp /10.0.0.1-7/ /10.0.0.10-20/
  .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Will load the hosts list from /tmp/victims and perform an ARP poisoning attack against the two target. The list will be joined with the target and the resulting list is used for ARP poisoning.
.TP
.B ettercap -T -M arp // // ettercap -T -M arp // //
  .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Perform the ARP poisoning attack against all the hosts in the LAN. BE CAREFUL !!
.TP
.B ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/ ettercap -T -M arp:remote /192.168.1.1/ /192.168.1.2-10/
  .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Perform the ARP poisoning against the gateway and the host in the lan between 2 and 10. The ’remote’ option is needed to be able to sniff the remote traffic the hosts make through the gateway.
.TP
.B ettercap -Tzq //110 ettercap -Tzq //110
  .SP ignored unsupported tag .SP Sniff only the pop3 protocol from every hosts.
.TP
.B ettercap -Tzq /10.0.0.1/21,22,23 ettercap -Tzq /10.0.0.1/21,22,23
  .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Sniff telnet, ftp and ssh connections to 10.0.0.1.
.TP
.B ettercap -P list ettercap -P list
  .Sp .if n .sp ignored unsupported tag .if .if t .sp 0.4
Prints the list of all available plugins