ettercap - Man page for the Ncurses GUI.
The curses GUI is quite simple and intuitive.
It is menu-driven. Every flag or function can be modified/called through the
upper menu. All user messages are printed in the bottom window. If you want to
see the old messages, you can scroll the window buffer by pressing the UP,
DOWN, PPAGE, NPAGE keys. The middle part is used to display information or
dialogs for the user.
The menus can be opened by pressing the relative hotkey. For the menus the
hotkey is represented by the uppercase initial letter of the title (e.g. 'S'
for Sniffing, 'T' for Targets). The functions within a menu can be called by
pressing the hotkey depicted near the function name on the right. Hotkeys
prefixed with 'C-' are to be used in conjunction with the CTRL key (e.g. 'C-f'
You can switch the focus between the objects on the screen by pressing the TAB
key or by clicking on it with the mouse (if you are running ettercap within an
xterm). Mouse events are supported only through the xterm. You can use the
mouse to select objects, open a menu, choose a function, scroll the elevators
for the scrolling windows, etc etc.
When you open multiple windows in the middle part, they will overlap. Use the
TAB key to switch between them. Use CTRL+Q to close the focused window.
You can also use CTRL+Q to close the input dialog if you want to cancel the
requested input. (i.e. you have selected the wrong function and you want to go
To have a quick help on the shortcuts you can use against a particular window
press the SPACE key. A help window will be displayed with a list of shortcuts
that can be used. If the window does not appear, no shortcuts are available.
To use the ncurses GUI you have to:
- compile ettercap with ncurses support (obviously)
- run it with the -C flag
Passing the -C flag is sufficient, but if you want you can pass other flags that
will be automatically set for the ncurses GUI. You will be able to override
them using the menu to change the options.
As soon as ettercap is launched with the Ncurses GUI, you will be prompted with
multiple choices. The first screen lets you select if you want to open a pcap
file or dump the sniffed traffic to a file, if you want unified sniffing or
bridged one, permits you to set a pcap file on the captured traffic and
enables you to log all the sniffed data.
Once you have selected a sniffing method (from file, unified or bridged) this
screen will not be reachable anymore. The only way is to restart ettercap.
Let's analyze each menu in the start screen:
- Open a pcap file and analyze it. All the functionalities
available for live sniffing are in place except for those sending or
forwarding packets (mitm attacks and so on...).
- Dump to file...
- All the traffic sniffed by the live capture will be dumped
to that file. The filters, not the targets, have effects on this file, as
all the packets received by pcap will be dumped. The only way to not dump
a certain packet is to set a proper pcap filter (see below).
Exits from ettercap and returns to the command prompt.
- Unified sniffing...
- Choosing this function you will be prompted to select the
network interface to be used for sniffing. The first up and running
interface is suggested in the input box. For an explanation of what
unified sniffing is, refer to ettercap(8).
TIP: if you use the 'u' hotkey, this step will be skipped and the default
interface is automatically selected.
- Bridged sniffing...
- After selecting the two interfaces to be used, you will
enter the Bridged sniffing mode. For an explanation of what bridged
sniffing is, refer to ettercap(8).
- Set pcap filter...
- Here you can insert a tcpdump-like filter for the capturing
IMPORTANT: if you manage to use a mitm attack, remember that if ettercap
does not see a packet, it will NOT be forwarded. So be sure of what you
are doing by setting a pcap filter.
- This enable/disable the unoffensive flag. The asterisk '*'
means "the option is enabled". Otherwise the option is not
- Promisc mode
- Enable/disable the promisc mode for the live capture on a
network interface. This is an "asterisk-option" as the
- Set netmask
- Use the specified netmask instead of the one associated
with the current iface. This option is useful if you have the NIC with an
associated netmask of class B and you want to scan (with the arp scan)
only a C class.
Once you have selected an offline sniffing or a live capture, the upper menu is
modified and you can start to do the interesting things...
Some of the following menu are only available in live capture.
- Start sniffing
- Starts the sniffing process depending on what you have
selected on startup (live or from file)
- Stop sniffing
- Stops the sniffing thread.
Returns to your favourite shell ;)
- Current Targets
- Displays a list of hosts in each TARGET. You can
selectively remove a host by selecting it and press 'd' or add a new host
pressing 'a'. To switch between the two lists, use the ARROWS keys.
- Select TARGET(s)
- Lets you select the TARGET(s) as explained in ettercap(8).
The syntax is the same as for the command line specification.
- You can choose to sniff only TCP, only UDP or both
- Reverse matching
- Reverse the matching of a packet. It is equivalent to a NOT
before the target specification.
- Wipe Targets
- Restores both TARGETS to ANY/ANY/ANY
- Hosts list
- Displays the list of hosts detected through an ARP scan or
converted from the passive profiles. This list is used by MITM attacks
when the ANY target is selected, so if you want to exclude a host from the
attack, simply delete it from the list.
You can remove a host from the list by pressing 'd', add it to TARGET1 by
pressing '1' or add it to TARGET2 by pressing '2'.
- Scan for hosts
- Perform the ARP scan of the netmask if no TARGETS are
selected. If TARGETS was specified it only scans for those hosts.
- Load from file...
- Loads the hosts list from a file previously saved with
"save to file" or hand crafted.
- Save to file...
- Save the current hosts list to a file.
- Displays the connection list. To see detailed information
about a connection press 'd', or press 'k' to kill it. To see the traffic
for a specific connection, select it and press enter. Once the two-panel
interface is displayed you can move the focus with the arrow keys. Press
'j' to switch between joined and split visualization. Press 'k' to kill
the connection. Press 'y' to inject interactively and 'Y' to inject a
file. Note that it is important which panel has the focus as the injected
data will be sent to that address.
HINT: connections marked with an asterisk contain account(s)
- Diplays the passive profile hosts list. Selecting a host
will display the relative details (including account with user and pass
for that host).
You can convert the passive profile list into the hosts list by pressing
'c'. To purge remote hosts, press 'l'. To purge local hosts, press 'r'.
You can also dump the current profile to a file by pressing 'd'; the
dumped file can be opened with etterlog(8).
HINT: profiles marked with an asterisk contain account(s) information.
- Displays some statistics about the sniffing process.
- Resolve IP addresses
- Enables DNS resolution for all the sniffed IP address.
CAUTION: this will extremely slow down ettercap. By the way the passive
dns resolution is always active. It sniffs dns replies and stores them in
a cache. If an ip address is present in that cache, it will be
automatically resolved. It is dns resolution for free... ;)
- Visualization method
- Change the visualization method for the sniffed data.
Available methods: ascii, hex, ebcdic, text, html.
- Visualization regex
- Set the visualization regular expression. Only packets
matching this regex will be displayed in the connection data window.
- Set the WiFi key
- Set the WiFi key used to decrypt WiFi encrypted packets.
See ettercap(8) for the format of the key.
- For each type of attack, a menu entry is displayed. Simply
select the attack you want and fill the arguments when asked. You can
activate more than one attack at a time.
- Stop mitm attack(s)
- Stops all the mitm attacks currently active.
- Load a filter...
- Load a precompiled filter file. The file must be compiled
with etterfilter(8) before it can be loaded.
- Stop filtering
- Unload the filter and stop filtering the connections.
- Log all packets and infos...
- Given a file name, it will create two files: filename.eci
(for information about hosts) and filename.ecp (for all the interesting
packets). This is the same as the -L option.
- Log only infos...
- This is used only to sniff information about hosts (same as
the -l option).
- Stop logging info
- Come on... it is self explanatory.
- Log user messages...
- Will log all the messages appearing in the bottom window
(same as -m option).
- Compressed file
- Asterisk-option to control whether or not the logfile
should be compressed.
- Manage the plugins
- Opens the plugin management window. You can select a plugin
and activate it by pressing 'enter'. Plugins already active can be
recognized by the  symbol instead of . If you select an active
plugin, it will be deactivated.
- Load a plugin...
- You can load a plugin file that is not in the default
search path. (remember that you can browse directories with EC_UID
Alberto Ornaghi (ALoR) <email@example.com>
Marco Valleri (NaGA) <firstname.lastname@example.org>
Emilio Escobar (exfil) <email@example.com>
Eric Milam (Brav0Hax) <firstname.lastname@example.org>
Mike Ryan (justfalter) <email@example.com>
Gianfranco Costamagna (LocutusOfBorg) <firstname.lastname@example.org>
Antonio Collarino (sniper) <email@example.com>
Ryan Linn <firstname.lastname@example.org>
Jacob Baines <email@example.com>
Dhiru Kholia (kholia) <firstname.lastname@example.org>
Alexander Koeppe (koeppea) <email@example.com>
Martin Bos (PureHate) <firstname.lastname@example.org>
Gisle Vanem <email@example.com>
Johannes Bauer <JohannesBauer@gmx.de>
Daten (Bryan Schneiders) <firstname.lastname@example.org>
ettercap(8) ettercap_plugins(8) etterlog(8)
etterfilter(8) etter.conf(5) ettercap-pkexec(8)