ettercap

ettercap [-h] | [-V] | [-d] [-T|-C] [-i iface] [-M mitm[:size]] [-P plugin] [-f filter] [target1 [target2 [target3]]]

-h, --help
    Display help summary

-V, --version
    Show version information

-d, --daemon
    Daemon mode (background)

-q, --quiet
    Suppress all output

-u num, --user-limit=num
    Max users in daemon mode

-T, --text-only
    Text-only interface

-C, --curses
    Ncurses interface

-G, --gtk
    GTK interface (deprecated)

-i iface, --iface=iface
    Capture on specific interface

-I list, --ifname=list
    Select from interface list

-L file, --log=file
    Log to specific file

-f filter.ecf
    Load dissection filter

-F type
    Filter type (hex, pcap, etc.)

-P plugin
    Load plugin(s)

-M mitm[:size]
    MITM mode (arp, dhcp, etc.)

-m mode
    Activate MITM plugin

-p
    Promiscuous mode

-s
    Supersniffer mode

-N
    No DNS resolution

-z
    Saturate sniffers

-Z
    Auto-close connections

-o file
    Output to file

-r file
    Read from offline pcap file

-t file
    Read targets from file

-j file
    Join pcap files

-k file
    Keep dumping to pcap

-S
    SSL dissection

-D
    DNS spoofing

Ettercap is a free, open-source network security tool designed for man-in-the-middle (MITM) attacks, packet sniffing, and protocol analysis. It enables interception and dissection of live network connections, content filtering on the fly, and injection of custom data. Supporting active and passive modes, it handles protocols like HTTP, FTP, SSH, and more, including sniffing credentials, SSL stripping, and ARP/DNS spoofing.

Primarily used by penetration testers and security professionals, Ettercap offers a text-based UI (TUI), ncurses interface, and legacy GTK GUI. It runs in promiscuous, daemon, or supersniffer modes, with plugin support for extensibility. Targeting uses intuitive syntax: // for the entire network, /192.168.1.1/ for a host, or //L for live hosts.

Key capabilities include ARP poisoning for traffic redirection, packet forging, and filtering via ECNF scripts. It logs sessions to files or databases. While powerful for vulnerability assessment, it requires root privileges and can disrupt networks if misused. Ethical use in controlled environments is essential to avoid legal issues.

Requires root privileges; can cause network disruptions or DoS; illegal for unauthorized use on production networks. Not for beginners—risk of instability or detection.

// entire subnet
/IP/ single host
/IP/M/ IP and MAC
//L live hosts only
//R remote segment

Available in most distros: apt install ettercap-common ettercap-graphical or compile from source. Includes ettercap-common, etterfilter, ec_parse.

ettercap -T -M arp:remote /target1/ /target2/ for ARP poisoning
ettercap -T -M dhcp /192.168.1.0/24/ for DHCP spoofing

First released in 2001 by Jean-Baptiste Condat and Riccardo Necchi as part of the Ettercap Project. Evolved to v0.7.x (2004) with GUI, v0.8.x (2010s) adding plugins and IPv6. Now maintained on GitHub; stable at 0.8.3.2 (2015), with forks for updates.

tcpdump(1), wireshark(1), arping(8), dsniff(8), aircrack-ng(8)