Using Ettercap and Ethereal to Create MITM Attack on Switched Network

This is for educational purposes only! I set this lab in a controlled environment using a Windows file server, Windows XP desktop, and my laptop runing Knoppix live CD.  In this lab I use Ettercap only for arp poison and spoofing, and I use Ethereal for the sniffing.  First of all, I made sure my laptop would forward IP packets so I ran #echo 1 >/proc/sys/ipv4/ip_forward to accomplish this.  Next, I opened a root shell and fired up Ettercap with the arp poison plugin.  Instead of spoofing the traffic between two nodes, I flooded all traffic with poisoned arp packets, even the gateway.  The reason behind this is if an attacker has a target and wants to find the login information to the gateway, but doesn’t know which node in the subnet the admin/user will use to login to the gateway, the attacker could find out by running the commands I do which will cause a denial of service.  So, while spoofing the traffic, I also start ethereal to sniff the traffic and see which node logs into the gateway and any other pertinant info found in the packet.

Basically, the following two commands combined with the previous command used with Knoppix Live CD will create a MITM attack.
In one root console start Ettercap
#ettercap -o -T -P repoison_arp -M arp:remote //
In another root console start the text version of Ethereal
#tethereal -w /tmp/mitm_log.pcap -f “not arp and not icmp”
or if you have time and want to watch the traffic in real time your can start the Ethereal gui, however, either way you load the pcap file from the tethereal command in the gui Ethereal.

Screenshots of both Ettercap and Ethereal’s text version running simultaneously to cause a DOS and MITM attack can be found at

Linux, Network Security, Tutorials/Whitepapers, Wireless

3 comments to Using Ettercap and Ethereal to Create MITM Attack on Switched Network

  • Steener

    Hey you! 🙂

  • Steener


  • triz

    This is just an update, I think an easier way to accomplish this using Fedora Live Security Spin on my laptop. Same concept as before, but first I scan my network to see what hosts are available.

    #nmap -sT -o

    I find that look suspicious because it is out of the DHCP range 1-100 so appears to have a static IP. Once I enable IP forwarding on my laptop, I run ettercap to poison the arp cache on the remote host and default gateway.

    #ettercap –text –quiet -i wlan0 –mitm arp:remote / / -w ettercap.OUT.pcap

    This will create a .pcap file to review later with dsniff or Wireshark.


Leave a Reply