etterlog NG-0.7.3 - Log analyzer for ettercap log files
Etterlog is the log analyzer for logfiles created by ettercap. It can handle
both compressed (created with -Lc) or uncompressed logfiles. With this tool you
can manipulate binary files as you like and you can print data in
different ways all the times you want (in contrast with the previous logging
system which was used to dump in a single static manner).
You will be able to dump traffic from only one connection of your choice, from
only one or more hosts, print data in hex, ascii, binary etc...
TIP: All unuseful messages are printed to stderr, so you can save the
output from etterlog with the following command:
etterlog [options] logfile > outfile
Thus you can dump for example a binary file from an ftp connection if you print
the data in binary mode, without headers and selecting only the ftp server as the
source of the communication.
Analyze a log file and display some interesting statistics.
Parse the log file and print a table of unique connections (port to port).
This option can be used only on LOG_PACKET logfiles. On LOG_INFO logfiles it is
TIP: you can search for a particular host by using the following command:
etterlog -c logfile.ecp | grep 10.0.0.1
-f, --filter <TARGET>
Print only packets coming from or going to TARGET. The TARGET specification is
the same as in ettercap.
TARGET is in the form MAC/IPs/PORTs. Omitting one or more of its
parts will be equivalent to set them to ANY.
If the log type is LOG_INFO the target is used to display hosts matching
the mac, ip and having the specified port(s) open. For example the target //80
will display only information about hosts with a running web server.
Reverse the matching in the TARGET selection. It means not(TARGET). All but the
-t, --proto <PROTO>
Sniff only PROTO packets (default is TCP + UDP).
This option is only useful in "simple" mode. If you start ettercap in interactive mode
both TCP and UDP are sniffed.
PROTO can be "tcp", "udp" or "all" for both.
-F, --filcon <CONNECTION>
Print packets belonging only to this CONNECTION.
CONNECTION is in the form PROTO:SOURCE:DEST. SOURCE and DEST are in the form IP:PORT.
etterlog -F TCP:10.0.0.23:3318:184.108.40.206:80
Display only packets that are sent by the source of the selected CONNECTION.
This option makes sense only in conjunction with the -F option.
TIP: if you want to save a file transferred in an HTTP or FTP connection, you can
use the following command:
Same as --only-source but it filters on the destination host.
Do not print the header of each packet. This option is useful if you want to
save a file in binary format (-B option). Without the headers you can redirect
the output to a file and you will get the original stream.
NOTE: the time stamp in the header is in the form: Thu Mar 27 23:03:31 2003
, the value in the square brackets is expressed in microseconds
In the headers show also the mac addresses corresponding to the ip
If used in conjunction with -F it displays the source and dest of the connection
using different colors. If used with a LOG_INFO file it prints LAN hosts in green,
REMOTE hosts in blue and GATEWAYS in red.
Used displaying an INFO file, it displays information only about local hosts.
Used displaying an INFO file, it displays information only about remote hosts.
-e, --regex <REGEX>
Display only packets matching the regex <REGEX>.
If this option is used agains a LOG_PACKET logfile, the regex is executed on the
payload of the packet. If the type is LOG_INFO, the regex is executed on all
the fields of the host profile (OS, banners, service and ethernet adapter).
NOTE: the regex is compiled with the REG_ICASE flag (case insensitive).
-u, --user <USER>
Display information about this user. The search is performed over all the
user/pass couples collected across all hosts.
Print only the collected account information for each host. This prevents
the huge profile output. It can be used in conjunction with the -u option
to filter the users. An asterisk '*' used in front of an account represents
a failed login attempt.
Show the client ip address when displaying the collected users and
passwords. It may be useful when ACLs are in place.
-I, --client <IP>
Show passwords only coming from a specific <IP>. This is useful to view all the
usernames and passwords of a client.
Use this option to concatenate two (or more) files into one single file. This
is useful if you have collected ettercap log files from multiple sources and
want to have an unified report. The output file must be specified with the -o
option and the input files are listed as normal arguments.
Print only "printable" characters, the others are displayed as dots '.'
Print only the "printable" characters and skip the others.
Convert an EBCDIC text to ASCII.
Strip all html tags from the text. A tag is every string between '<' and '>'.
<title>This is the title</title>, but the following <string> will not be
This is the title, but the following will not be displayed.
-U, --utf8 <encoding>
Print the packets in UTF-8 format. The <encoding> parameter specifies the
encoding to be used while performing the conversion. Use the `iconv --list`
command to obtain a list of all supported encodings.
Print always the void string. i.e. print only header information and no packet
content will be printed.
Print the host information in xml form, so you can parse it with your favourite
The DTD associated with the xml output is in share/etterlog.dtd
Print the version and exit.
Print the help screen with a short summary of the available options.
Here are some examples of using etterlog.
etterlog -k -l dump.eci
Displays information about local hosts in different colors.
etterlog -X dump.ecp
Prints packets in HEX mode with full headers.
etterlog -c dump.ecp
Displays the list of connections logged in the file.