Ettercap – Sniffer Interceptor Logger
Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. This program is fully unix based and was just ported to Mac OS X after a user requested it. If you are looking for your favorite unix based application to run on Mac OS X just give the programmers remote root so they don’t have to buy expensive hardware and they can do all the work from your box. 0.6.0 adds more support for Mac OS X!
Tools like this come in handy when programming, when you believe their is foul play happening, or possibly hackers on your network. This tool will let you see all the connections going to and from your computer.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
It’s possible to sniff in four modes.
IP Based, the packets are filtered on IP source and dest
MAC Based, packets filtered on mac address, useful to sniff connections through gateway
ARP based, uses arp poisoning to sniff in switched lan between two hosts (full-duplex).
PublicARP based, uses arp poisoning to sniff in switched lan from a victim host to all other hosts (half-duplex).
Addition features the program offers can help you in numerous ways, from killing connections to sniffing the network for any data. Some of the features the author highlights are list below.
Characters injection in an established connection : you can inject character to server (emulating commands) or to client (emulating replies) maintaining the connection alive !!
SSH1 support : you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the first software capable to sniff an SSH connection in FULL-DUPLEX
HTTPS support : you can sniff http SSL secured data… and even if the connection is made through a PROXY
Plug-ins support : You can create your own plugin using the ettercap’s API.
Password collector for : TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC (other protocols coming soon…)
Paket filtering/dropping: You can set up a filter that search for a particular string (even hex) in the TCP or UDP payload and replace it with yours or drop the entire packet.
OS fingerprint: you can fingerprint the OS of the host and even its network adapter
Kill a connection: from the connections list you can kill all the connections you want to discontinue traffic to your network. Hackers trying hard to get in?