ETTERLOG(8) | System Manager's Manual | ETTERLOG(8) |
etterlog - Log analyzer for ettercap log files
etterlog [OPTIONS] FILE
Etterlog is the log analyzer for logfiles created by ettercap. It
can handle both compressed (created with -Lc) or uncompressed logfiles. With
this tool you can manipulate binary files as you like and you can print data
in different ways all the times you want (in contrast with the previous
logging system which was used to dump in a single static manner).
You will be able to dump traffic from only one connection of your choice, from
only one or more hosts, print data in hex, ascii, binary etc...
TIP: All non-useful messages are printed to stderr, so you can save the output from etterlog with the following command:
Thus you can dump for example a binary file from an ftp connection if you print the data in binary mode, without headers and selecting only the ftp server as the source of the communication.
TIP: you can search for a particular host by using the following command:
etterlog -c logfile.ecp | grep 10.0.0.1
If the log type is LOG_INFO the target is used to display hosts matching the mac, ip and having the specified port(s) open. For example the target //80 will display only information about hosts with a running web server.
example:
etterlog -F TCP:10.0.0.23:3318:198.182.196.56:80
TIP: if you want to save a file transferred in an HTTP or FTP connection, you can use the following command:
etterlog -B -s -n -F TCP:10.0.0.1:20:10.0.0.2:35426 logfile.ecp > example.tar.gz
NOTE: the time stamp in the header is in the form: Thu Mar 27 23:03:31 2003 [169396], the value in the square brackets is expressed in microseconds
example:
etterlog -C -o outfile input1 input2 input3
example:
the string "HTTP/1.1 304 Not Modified" becomes:
0000: 4854 5450 2f31 2e31 2033 3034 204e 6f74 HTTP/1.1 304 Not
0010: 204d 6f64 6966 6965 64 Modified
example:
<title>This is the title</title>, but the following <string> will not be displayed.
This is the title, but the following will not be displayed.
The DTD associated with the xml output is in share/etterlog.dtd
Here are some examples of using etterlog.
Displays information about local hosts in different colors.
Prints packets in HEX mode with full headers.
Displays the list of connections logged in the file.
Displays the IRC traffic made by 10.0.0.1 in ASCII mode, without headers information and in colored mode.
Dumps all HTTP traffic and strips html tags.
Displays only the headers of all connections except ssh on host 10.0.0.2
Displays only POP packets containing the 'user' regexp (case insensitive).
Displays information about all the accounts of the user 'root'.
Displays information about all the hosts running 'Apache'.
Displays information about all the hosts with the 'Linux' operating system.
Displays information about all the hosts with the tcp port 110 open.
Displays information about all the hosts with at least one UDP port open.
Dumps in binary form the data sent by 10.0.0.1 over the data port of FTP. Since the headers are omitted, you will get the file as it was.
Alberto Ornaghi (ALoR) <alor@users.sf.net>
Marco Valleri (NaGA) <naga@antifork.org>
Emilio Escobar (exfil) <eescobar@gmail.com>
Eric Milam (Brav0Hax) <jbrav.hax@gmail.com>
Mike Ryan (justfalter) <falter@gmail.com>
Gianfranco Costamagna (LocutusOfBorg) <costamagnagianfranco@yahoo.it>
Antonio Collarino (sniper) <anto.collarino@gmail.com>
Ryan Linn <sussuro@happypacket.net>
Jacob Baines <baines.jacob@gmail.com>
Dhiru Kholia (kholia) <dhiru@openwall.com>
Alexander Koeppe (koeppea) <format_c@online.de>
Martin Bos (PureHate) <purehate@backtrack.com>
Enrique Sanchez
Gisle Vanem <giva@bgnett.no>
Johannes Bauer <JohannesBauer@gmx.de>
Daten (Bryan Schneiders) <daten@dnetc.org>
ettercap(8) etterfilter(8) etter.conf(5) ettercap_curses(8) ettercap_plugins(8) ettercap-pkexec(8)
ettercap 0.8.3.1 |