ettercap-NG-0.7.1 (sniffer)

25/Nov/2005 tested on SuSE 9.1

Installation

1. Download libnet from http://www.packetfactory.net/libnet/dist/ or download as,

   # wget http://www.packetfactory.net/libnet/dist/libnet-1.1.2.1.tar.gz
   

2. Install libnet

   # tar zxvf libnet-1.1.2.1.tar.gz
   # cd libnet
   # ./configure
   # make
   # make install
   

3. Download ettercap from http://prdownloads.sourceforge.net/ettercap or download as,

   # wget http://switch.dl.sourceforge.net/sourceforge/ettercap/ettercap-NG-0.7.1.tar.gz
   

4. Install ettercap

   # tar zxvf ettercap-NG-0.7.1.tar.gz
   # cd ettercap-NG-0.7.1
   # ./configure
   # make
   # make install
   

5. If you see error related to gtk as below, disable gtk using ./configure --disable-gtk

    main.c:320: error: `GTK_WRAP_WORD_CHAR' undeclared (first use in this function)

   This is caused by a bug in the installer code (actually using Gtk+ >= 2.4 stuff). This will be solved later.

How to use Ettercap

1. Launch Ettercap by text mode

   # ettercap -C
   

2. If you compiled with GTK, you can launch by GUI mode.

   # ettercap -G
   

3. Make sure [Options]->[Promisc mode] is checked.
4. Select [Sniff]->[Unified sniffing...] menu.
5. Select a network interface.
6. Select [Start]->[Start sniffing] menu.
7. Select [Hosts]->[Scan from hosts] menu, then wait a moment while scanning the whole network for 255 hosts
8. Select [Mitm]->[Arp poisoning...] menu. Press Enter with no parameters.
9. Select [View]->[Connections] menu.
10. You can now see clear passwords in the subnet.
11. To save the logs, select [Logging]->[Log all packets and infos...] menu.
12. Read a log file,

    # etterlog  -p -k -i --ascii logfile.eci | less
    

Search promiscuous mode PCs

1. While running ettercap, select [Plugins]->[Manage the plugins] menu.
2. From the plugin list, select [search_promisc 1.2] and press [Enter]
3. You can see "Most probably sniffing NICS" in the bottom

Web www.grape-info.com