We've told you that sniffers work only on hubs, where network packets get sent to every system connected to the hub. That's not entirely true. Sniffers work only when network packets between other machines are forced to pass through the network interface of the sniffing machine. Having the sniffer connected to a hub is the easiest way to accomplish this. Another way to accomplish this is to configure a particular switch port so that all traffic on the switch also gets sent to that "switch monitoring" port. Our discussion of dsniff introduced us to another way of intercepting traffic that is not meant for the sniffer—ARP and DNS poisoning. Another tool that lets you sniff in this manner (and much, much more) is called ettercap, which is billed as a sniffer for switched LANs.


Ettercap can be obtained from and runs on Linux, BSD, Solaris 2.x, most flavors of Windows, and Mac OS X. You can download the source code and compile it yourself or you can download available binaries for your platform. Compiling on standard Linux and FreeBSD systems is rather simple, as the only library requirements are the Gimp Tool Kit 2 (GTK2) and OpenSSL libraries.

Ettercap allows other users to build their own ettercap plug-ins. These plug-ins can be used to extend the functionality of ettercap. The current distribution of ettercap (0.7.3, the "next generation" of the tool) comes with 28 different plug-ins. You have to build and install the plug-ins separately using the make plug-ins and make plug-ins_install commands.


When you first start the ettercap GUI, you must select the sniffing mode and interface. Then, you can generate a list of hosts that are present on the local area network (LAN) by selecting the Hosts | Scan for hosts menu option. You can see the results by selecting the Hosts | Host list menu option as shown in Figure.

Image from book
Figure: View local hosts.

Ettercap also monitors the network for activate UDP and TCP connections. These connections are listed by the View | Connections menu option as shown in Figure.

Image from book
Figure: Find active network connections.

Unified Sniffing

Unified sniffing is a mode in which ettercap watches all traffic for sensitive information, usually usernames and passwords. It has filters for several protocols and applications, including web-based authentication such as Yahoo! as shown in Figure.

Image from book
Figure: Extracting specific values with filters

Unified sniffing combines features of the MAC- and ARP-based sniffing from previous versions. Some of these techniques have been placed under the Mitm (Man in the middle) menu options. Select ARP Poisoning if you wish to try sniffing in a switched environment.

Navigating Sniffed Connections

Obtaining a list of active connections can lead to more than just curiosity. You can do a number of things to the connection, including killing it with valid TCP packets. See Figure.

Image from book
Figure: Attacking active connections

Additional Tools

Ettercap has other capabilities provided by its plug-ins. Check them out under the Plugins menu (see Figure). You'll notice that the plug-ins range from offensive, such as denial of service, to defensive, such as finding other sniffers or looking for ARP poisoning attacks.

Image from book
Figure: More ettercap capabilities

Potential for Disaster

A lot of very technical, sneaky, and potentially disastrous features are buried in ettercap, and there's no way we can cover them all here. Our main goal in this admittedly brief section is to make the reader aware of the existence of this tool. If you're curious (or concerned) about this multifaceted wonder, visit ettercap's web site at The development forum in particular is a great place to learn about ettercap.

Previous Section
Next Section

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows