[packages/ettercap6.git] / ettercap-ncurses.patch

diff -uNr ettercap-0.6.3.1.orig/configure.in ettercap-0.6.3.1/configure.in
--- ettercap-0.6.3.1.orig/configure.in  Thu Dec 13 18:05:18 2001
+++ ettercap-0.6.3.1/configure.in       Sun Feb 10 16:19:19 2002
@@ -339,14 +339,14 @@
        ncurses_warn=0
        curses_warn=0
 
-       AC_CHECK_HEADERS(ncurses.h,,ncurses_warn=1)
+       AC_CHECK_HEADERS(ncurses/ncurses.h,,ncurses_warn=1)
        AC_CHECK_LIB(ncurses,newpad,,ncurses_warn=1)
 
        if test $ncurses_warn -ne 1; then
                AC_DEFINE(HAVE_NCURSES,1)
                ac_cv_ec_ncurses=yes
        else
-               AC_CHECK_HEADERS(curses.h,,curses_warn=1)
+               AC_CHECK_HEADERS(ncurses/curses.h,,curses_warn=1)
                AC_CHECK_LIB(curses,newpad,,curses_warn=1)
                AC_CHECK_LIB(curses,mvwgetnstr,,curses_warn=1)
 
@@ -364,7 +364,7 @@
        form_warn=0
 
        if test "$ncurses_warn$curses_warn" = "00"; then
-               AC_CHECK_HEADERS(form.h,,form_warn=1)
+               AC_CHECK_HEADERS(ncurses/form.h,,form_warn=1)
                AC_CHECK_LIB(form,form_win,,form_warn=1)
 
                if test $form_warn -ne 1; then
@@ -396,12 +396,12 @@
                ac_cv_ec_debug=yes
                ;;
        no)  AC_MSG_RESULT(no.)
-               CFLAGS="-O3 -funroll-loops -fomit-frame-pointer -Wall"
+               CFLAGS="${CFLAGS} -funroll-loops -fomit-frame-pointer -Wall"
                ac_cv_ec_debug=no
                ;;
 esac ],
        AC_MSG_RESULT(no. disabled by default.)
-       CFLAGS="-O3 -funroll-loops -fomit-frame-pointer -Wall"
+       CFLAGS="${CFLAGS} -funroll-loops -fomit-frame-pointer -Wall"
        ac_cv_ec_debug=no
 )
 AC_SUBST(DEBUG)
@@ -600,4 +600,4 @@
 echo "=================================================="
 echo
 
-EC_CHECK_DATE()
\ No newline at end of file
+EC_CHECK_DATE()
diff -uNr ettercap-0.6.3.1.orig/ettercap.8 ettercap-0.6.3.1/ettercap.8
--- ettercap-0.6.3.1.orig/ettercap.8    Thu Jan  1 01:00:00 1970
+++ ettercap-0.6.3.1/ettercap.8 Sun Feb 10 16:22:15 2002
@@ -0,0 +1,552 @@
+.\"  ettercap -- a ncurses-based sniffer/interceptor utility for switched LAN
+.\"
+.\"  Copyright (C) 2001  ALoR <alor@users.sourceforge.net>, NaGA <crwm@freemail.it>
+.\"
+.\"  This program is free software; you can redistribute it and/or modify
+.\"  it under the terms of the GNU General Public License as published by
+.\"  the Free Software Foundation; either version 2 of the License, or
+.\"  (at your option) any later version.
+.\"
+.\"  This program is distributed in the hope that it will be useful,
+.\"  but WITHOUT ANY WARRANTY; without even the implied warranty of
+.\"  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+.\"  GNU General Public License for more details.
+.\"
+.\"  You should have received a copy of the GNU General Public License
+.\"  along with this program; if not, write to the Free Software
+.\"  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+.de Sp
+.if n .sp
+.if t .sp 0.4
+..
+.TH ETTERCAP "8" "20010906" "ettercap 0.5.4"
+.SH NAME
+.B ettercap 0.5.4 \- A multipurpose sniffer over switched LANs
+
+.SH SYNOPSIS
+.B ettercap
+[\fIOPTIONS\fR] [\fIHOST:PORT\fR] [\fIHOST:PORT\fR] [\fIMAC\fR] [\fIMAC\fR]
+
+.SH DESCRIPTION
+Ettercap was born as a sniffer for switched LAN (and obviously even "hubbed" one),
+but during the development process it has gained more and more feature that have
+changed it to a powerful and flexible tool for man-in-the-middle attacks.
+It supports active and passive dissection of many protocols (even ciphered ones)
+and includes many feature for network and host analysis (such as OS fingerprint).
+.PP
+It has five sniffing methods:
+.br
++ IPBASED, the packets are filtered matching IP:PORT source and IP:PORT dest
+.br
++ MACBASED, packets filtered matching the source and dest MAC address. (useful
+to sniff connections through gateway)
+.br
++ ARPBASED, uses arp poisoning to sniff in switched LAN between two hosts
+(full-duplex m-i-t-m).
+.br
++ SMARTARP, uses arp poisoning to sniff in switched LAN from a victim host to all other
+hosts knowing the entire list of the hosts (full-duplex m-i-t-m).
+.br
++ PUBLICARP, uses arp poison to sniff in switched LAN from a victim host to all other
+hosts (half-duplex).
+.br
+With this method the ARP replies are sent in broadcast, but if ettercap has the complete
+host list (on start up it has scanned the LAN) SMARTARP method is automatically selected,
+and the arp replies are sent to all the hosts but the victim, avoiding conflicting MAC
+addresses as reported by win2K.
+.PP
+The most relevant ettercap features are:
+.PP
+.B Characters injection in an established connection :
+you can inject character to server (emulating commands) or to client (emulating replies)
+maintaining the connection alive !!
+.PP
+.B SSH1 support :
+you can sniff User and Pass, and even the data of an SSH1 connection. ettercap is the
+first software capable to sniff an SSH connection in FULL-DUPLEX
+.PP
+.B HTTPS support :
+you can sniff http SSL secured data... and even if the connection is made through a PROXY
+.PP
+.B Plug-ins support :
+You can create your own plugin using the ettercap's API.
+.PP
+.B Password collector for :
+TELNET, FTP, POP, RLOGIN, SSH1, ICQ, SMB, MySQL, HTTP, NNTP, X11, NAPSTER, IRC, RIP, BGP,
+SOCKS 5, IMAP 4, VNC (other protocols coming soon...)
+.PP
+.B Packet filtering/dropping:
+You can set up a filter chain that search for a particular string (even hex) in the TCP
+or UDP payload and replace it with yours or drop the entire packet.
+.PP
+.B OS fingerprint:
+you can fingerprint the OS of the victim host and even its network adapter (it uses the
+nmap (c) Fyodor database)
+.PP
+.B Kill a connection:
+from the connections list you can kill all the connections you want
+.PP
+.B Packet factory:
+You can create and sent packet forged on the fly. The factory let you to forge from Ethernet
+header to application level.
+
+.PP
+.SH OPTIONS
+Options that make sense together can generally be combined. ettercap will warn the user
+about unsupported option combinations.
+.TP
+.B SNIFFING METHODS
+.TP
+\fB\-a\fR, \fB\-\-arpsniff\fR
+ARP BASED sniffing
+.br
+This is THE sniffing method for switched LAN, and if you want to use the man-in-the-middle
+technique you have to use it. In conjunction with the silent mode (-z option) you must
+specify two IP and two MAC for ARPBASED (full-duplex) or one IP and one MAC for PUBLICARP
+(half-duplex). in PUBLICARP the ARP replies are sent in broadcast, but if ettercap has
+the complete host list (on start up it has scanned the LAN) SMARTARP method is automatically
+selected, and the arp replies are sent to all the hosts but the victim, and an hash table
+is created to re-route back the packet form victim to client obtaining in this way a full-duplex
+man in the middle attack.
+.br
+Filters that have as action a replacement or a drop, can be used only with ARPBASED
+sniffing because it is necessary to re-adjust the sequence number in full-duplex in order
+to maintain the connection alive.
+.TP
+\fB\-s\fR, \fB\-\-sniff\fR
+IP BASED sniffing
+.br
+This is the good old style sniffing method. It rocks on "hubbed" LAN, but useless on switched
+ones. You can choose the target specifying only source, only dest, with or without port, or
+nothing (to sniff all connections). A special ip "ANY" means from or to every host.
+.TP
+\fB\-m\fR, \fB\-\-macsniff\fR
+MAC BASED sniffing (you must select two host for this)
+.br
+Very useful to sniff TCP traffic with remote hosts. On hubbed LANs if you want to sniff a
+connection through a gateway is useless to specify the victim's ip and the gateway's ip,
+because the packet are for an external host, not for the gateway. So you can use this method.
+Simply specify the victim's MAC and the gateway's MAC and you will see all the connections
+from and to the Internet.
+
+
+.TP
+.B GENERAL OPTIONS
+.TP
+\fB\-N\fR, \fB\-\-simple\fR
+NON interactive mode (without ncurses)
+.br
+This method is useful if you want to launch ettercap from a script or if you already
+know some informations of your target or if you want to launch ettercap in background
+collecting data or password for you (in combination with the --quiet option).
+.br
+Some features are not available in this method, obviously the ones which requires
+interaction with the user, such as characters injection. But others (for example filtering)
+are fully supported, so you can set up ettercap to poison two host (a victim and its gateway)
+and to filter all its connection on the port 80 and replace some string with others,
+all its traffic to the Internet will be changed as you wish.
+.TP
+\fB\-z\fR, \fB\-\-silent\fR
+start in silent mode (no arp storm on start up)
+.br
+If you want to launch ettercap with a non invasive method (some NIDS may raise a warn
+if they detects too much arp request). You have to know all the requested data of the
+target in order to use this options. For example if you want to poison two host, you need
+the two IP and the two MAC addresses of the victims.
+If you select ipsniff or macsniff this method is automatically selected, because you don't
+need to know the list of the host in the LAN.
+.br
+To know the entire list of the hosts use "ettercap -Nl", but remember that it is a invasive
+method.
+.TP
+\fB\-b\fR, \fB\-\-broadping\fR
+use a broadcast ping instead of arp storm on start up.
+.br
+this method is less intrusive, but even less accurate. some hosts will not respond at the
+broadcast ping (es. Windows) so they remain invisible to this method. Useful if you want to
+scan a LAN with Linux hosts. As usual you can combine this option with --list to have a
+list of the hosts "ettercap -Nlb"
+.TP
+\fB\-D\fR, \fB\-\-delay <n sec>\fR
+the delay in seconds between the arp replies if you have selected an ARP poison sniffing
+method. This is useful if you want to be less aggressive in the poisoning. On many OS the
+default validity interval of the arp cache is more than a minute (on FreeBSD is 1200 sec).
+.br
+The default delay value is 30 sec.
+.TP
+\fB\-Z\fR, \fB\-\-stormdelay <n usec>\fR
+the delay in micro-seconds between the arp request on arp storm at start up.
+This is useful if you want to be less aggressive in the scanning. Many IDS will report
+massive arp request, but if you send them in a slower rate, they will not report any strange
+behavior.
+.br
+The default delay value is 1500 usec.
+.TP
+\fB\-S\fR, \fB\-\-spoof <IP>\fR
+If you want to elude some IDS, you can specify a spoofed IP used to scan the LAN with
+arp request. The source MAC can't be spoofed because a well configured switch will block
+your request.
+.TP
+\fB\-H\fR, \fB\-\-hosts <IP1[,IP2][,IP3][,...]>\fR
+on start up, scan only these hosts.
+.br
+this is useful if you want to use an ARP scanning of the LAN but only on certain IPs.
+so you can benefit from a ARP scan but remaining less invasive.
+Useful even if you want to do PUBLIC ARP but you want to poison only specific hosts.
+since with a list PUBLIC ARP is automatically converted to SMARTARP, only these host
+will be poisoned and you can leave untouched the arp caches of the other hosts.
+.br
+the IP list must be in dotted notation and separated by comma (without black spaces
+between them), you can use wildcards.
+.br
+eg: 192.168.0.2?  --> from 20 to 29
+.br
+    192.168.0.1*  --> host 1, from 10 to 19 and from 100 to 199
+.TP
+\fB\-d\fR, \fB\-\-dontresolve\fR
+don't resolve IPs on start up. this is useful if you experience an insane "Resolving
+n hostnames..." message on start up. This is due to a very slow DNS in your environment.
+.TP
+\fB\-i\fR, \fB\-\-iface <IFACE>\fR
+network interface to be used for all the operation. you can even specify network aliases
+in order to scan a subnet with different ip form your current one.
+.TP
+\fB\-n\fR, \fB\-\-netmask <NETMASK>\fR
+the netmask used to scan the LAN. (in dotted notation). the default is your current
+ifconfig netmask. but your netmask is for example 255.255.0.0 I encourage you to specify
+a more restrictive one, if you managed to do an ARP scanning on start up.
+.TP
+\fB\-e\fR, \fB\-\-etterconf <FILENAME>\fR
+use the config file instead of command line options
+.br
+etter.conf example file is packaged in the tarball, refer to it to know how to write a
+config file. all the instruction are written in this example. via the conf file you
+can disable selectively one protocol dissector or move it on one other port.
+.br
+command line options and config file can be mixed for much flexibility, but remember
+that the options in the config file override the command line, so if in etter.conf
+you have specified IFACE: eth0, and you launch "ettercap -i eth1 -e etter.conf"
+the selected iface will be eth0.
+.br
+NOTE: the "-e etter.conf" options has to be specified after all other options.
+.TP
+\fB\-v\fR, \fB\-\-version\fR
+check for the latest ettercap version.
+.br
+All operation are under your control. Every step requires a user confirmation.
+With this option ettercap will connect to the http://ettercap.sourceforge.net:80 web
+side and ask for the page /latest.php. then the result are parsed and compared with
+your current version. If there is a newer version available, ettercap will ask you if
+you want to wget it. (wget must be in the path).
+.br
+If you want to automatically answer yes at all the question add the option -y
+.TP
+\fB\-h\fR, \fB\-\-help\fR
+prints the help screen with a short summary of the available options.
+
+
+
+.TP
+.B SILENT MODE OPTIONS (only combined with -N)
+.TP
+\fB\-u\fR, \fB\-\-udp\fR
+sniff only UDP packets (default is TCP).
+This option is only useful in "simple" mode, if you start ettercap in interactive mode
+both TCP and UDP are sniffed.
+.TP
+\fB\-R\fR, \fB\-\-reverse\fR
+sniff all the connection but the selected one. This option is useful if you are using
+ettercap on a remote machine and you want to sniff all the traffic but you connection from
+local to remote, because including it will sniff even the ettercap output and it will be
+screwed up...
+.TP
+\fB\-p\fR, \fB\-\-plugin <NAME>\fR
+run the plugin "NAME".
+.br
+most plugins need a destination host. simply specify it after plugin name, in fact
+hosts are parsed on command line as first the DEST and so the SOURCE.
+.br
+To have a list of the available plugins use "list" (without quotes) as plugin name.
+.br
+More detailed info about plugins and about how to write your own are found in the
+README.PLUGINS file.
+.Sp
+Currently these plugins are shipped with the official distro:
+.Sp
+    arpcop -- Report suspicious ARP replies   (developed by acelent)
+.br
+   banshee -- They kill without discretion...
+.br
+     dummy -- Dummy plugin. It does nothing !   (only a template)
+.br
+     golem -- nice D.O.S.  BE CAREFUL !!
+.br
+     leech -- Isolate a host from the LAN
+.br
+    lurker -- try to search for other ettercap
+.br
+       imp -- Retrieves some Windows names
+.br
+      ooze -- Ping a host
+.br
+   phantom -- Sniff/Spoof DNS requests
+.br
+    shadow -- A very simple SYN/TCP port scanner
+.br
+   spectre -- flood a switched LAN with random MAC addresses
+.br
+    triton -- Try to discover the LAN's gateway
+.TP
+\fB\-l\fR, \fB\-\-list\fR
+lists all the hosts in the LAN, reporting each MAC address.
+.br
+Commonly combined options are -b (for broadcast ping) and -d (don't resolve hostname).
+.TP
+\fB\-C\fR, \fB\-\-collect\fR
+collect all users and password from the hosts specified on command line.
+.br
+Password collector are configured in the config file (etter.conf), if you want
+you can disable them selectively or move them on other port. This is useful if you
+don't want to sniff SSH connection (the key change alert will raise suspects) but
+want to sniff all other supported protocols. Or even if you know that a host has the
+telnet service on port 4567, simply move the telnet dissector on 4567/tcp
+.TP
+\fB\-f\fR, \fB\-\-fingerprint <HOST>\fR
+do OS fingerprinting on HOST.
+.br
+This option uses the same database and the same method used by
+.I nmap (c) Fyodor <fyodor@insecure.org>
+so I report a piece of its man page :
+.Sp
+This option activates remote host identification via TCP/IP fingerprinting. In other
+words, it uses a bunch of techniques to detect subtleties in the underlying operating
+system network stack of the computers you are scanning. It uses this information to
+create a  'fingerprint' which it compares with its database of known OS fingerprints
+(the nmap-os-fingerprints file) to decide what type of system you are scanning.
+.Sp
+the -f options even provides you the vendor of the network adapter of the scanned host.
+the info are stored in the mac-fingerprints database.
+.TP
+\fB\-x\fR, \fB\-\-hexview\fR
+to dump data in hex mode.
+.br
+TIP: while sniffing you can change the visualization mode by hitting 'a' for ascii or 'x' for hex.
+on line help is recalled by 'h'.
+.TP
+\fB\-L\fR, \fB\-\-logtofile\fR
+if used alone logs all data to specific file(s). it crates a separate file for each connection
+in the form "YYYYMMDD-P-IP:PORT-IP:PORT.log"
+.br
+if used with -C (collector) it creates a file with all the password sniffed in the session in
+the form "YYYYMMDD-collected-pass.log"
+.TP
+\fB\-q\fR, \fB\-\-quiet\fR
+"demonize" ettercap.
+.br
+useful if you want to log all data in background. this options will detach
+ettercap from the current tty and set it as a demon collecting data to files. it must be
+combined with -NL (or -NLC) otherwise it has no effects. Obviously the sniffing method
+is required, so you have to combine it with this option.
+.TP
+\fB\-k\fR, \fB\-\-newcert\fR
+create a new cert file for HTTPS man-in-the-middle.
+.br
+useful if you want to create a certfile with social engineered information...
+.br
+the new file is created in the current working directory. to permanently substitute the
+default cert file (etter.sll.crt) you have to overwrite /usr/share/ettercap/etter.ssl.crt
+.TP
+\fB\-F\fR, \fB\-\-filter <FILENAME>\fR
+load the filters chains  from FILENAME
+.br
+the Filtering chains file is written in pseudo XML format. You can write by hand this
+file or (better) use the ncurses interface to let ettercap create it (press 'F' in the
+connection list interface). If you are skilled in XML parsing, you can write your own
+program to make a filter chain file.
+.Sp
+the rules are simple:
+.Sp
+If the proto <proto> AND the source port <source> AND the dest port <dest> AND the payload <search>
+match the rules, after the filter as done its action <action>, it jumps in the chain
+to the filter id specified in the <goto> field, else it jumps to <elsegoto>.
+If these field are left blank the chain is interrupted. Source and dest port equal to
+0 (zero) means ANY port. You can use wildcards in the search string (see README for detail)
+.Sp
+NOTE: with this options filter are enabled by default, if you want to
+disable them on the fly, press "S" (for source) or "D" (for dest) while sniffing
+.Sp
+NOTE: on command line the hosts are parsed as "ettercap -F etter.filter DEST SOURCE", so
+the first host is bound to the dest chain and the second to the source chain.
+.Sp
+VERY IMPORTANT: the source chain is applied to data COMING FROM source and NOT GOING TO
+source. keep this in mind !! the same is for dest...
+.TP
+\fB\-c\fR, \fB\-\-check\fR
+check if you were poisoned by other poisoners in the LAN
+.TP
+\fB\-t\fR, \fB\-\-linktype\fR
+check if you are on a switched LAN or not... Sometimes this discovery method can fail.
+don't trust it at 100%
+
+
+.SH TARGET SPECIFICATION
+The targets are parsed on command line in reverse order. The first host is the DEST and the
+second is the SOURCE. this doesn't care if you are sniffing in ip based mode, because
+source and dest are ignored, but if you are filtering the connection this is crucial for
+the binding of the related filter chain.
+.br
+The reverse order is due to a more intuitive interface for plugins. because some plugins
+need the dest host to be specified, it is simpler to type:
+"ettercap -Np ooze victim" than "ettercap -Np ooze NOONE victim".
+.br
+The targets can be specified in dotted notation (192.168.0.1) or with their symbolic name
+(victim.mynet.org). Only within the -H (--hosts) option you can use wildcards.
+
+
+.SH INTERACTIVE MODE
+The interactive mode (ncurses mode) is automatically selected if ettercap is launched
+without the option -N . Explain what you can do with it will take pages and pages... and I'm
+not a good writer... so if you don't know what can you do in some circumstances, simply
+press 'H' and a help screen will popup. there you can find a detailed list of all available
+commands.
+
+
+.SH EXAMPLES
+Here are some examples of using ettercap.
+.TP
+.B ettercap -b
+.Sp
+On startup use broadcast ping to scan the LAN instead of ARP request all the
+subnet IPs.
+.TP
+.B ettercap -H "192.168.0.?,192.168.0.3?,192.168.0.2*"
+.Sp
+On startup scan only the host 192.168.0.1-9, 192.168.0.30-39, 192.168.0.2,
+192.168.0.20-29 and 192.168.0.200-255.
+if the PUBLICARP method will be selected only these host will be poisoned.
+.TP
+.B ettercap -s 192.168.0.1 192.168.0.2
+.Sp
+Enter the interactive mode and sniff only the connections between 192.168.0.1 and 192.168.0.2
+.TP
+.B ettercap -Nzs -F etter.filter 192.168.0.1 192.168.0.2
+.Sp
+Load filter from etter.filter and activate them on all the connection between 192.168.0.1
+and 192.168.0.2 . Only Log action will be supported because it is a -s (ipsniffing) method.
+192.168.0.1 is bound to the dest chain and 192.168.0.2 to the source one.
+To enable even the replacement and drop actions you have to launch "ettercap -Nza -F
+etter.filter IP IP MAC MAC"
+.TP
+.B ettercap -zs -e etter.conf
+.Sp
+Use the ip based sniffing mode and load the other option from the config file (etter.conf).
+Note that options in the file override command line.
+.TP
+.B ettercap -Nzs victim.my.net ANY:80
+.Sp
+Sniffs in console mode (non interactive) only the connection to and from "victim.my.net"
+starting or ending to all other hosts but on port 80 (www). data are dumped in ASCII
+mode. to dump in HEX mode add the -x option.
+.TP
+.B ettercap -NRzs remote.host.net:23 my.local.host.com
+.Sp
+Useful to sniffs in console mode (non interactive) all the connection on a remote LAN
+on which you are executing ettercap. this example will prevent to show your telnet (:23)
+connection from "my.local.host.com" to "remote.host.net".
+.TP
+.B ettercap -Nclt
+.Sp
+This will provide you the entire list of hosts in the LAN. Will check if someone is
+poisoning you and will report its IP. Will tell you if you are on a switched LAN or not.
+.TP
+.B ettercap -NCLzs --quiet
+.Sp
+This will detach ettercap from console and log to a file all the collected password.
+Only works if the LAN is hubbed, or if collected password are directed to your host.
+.TP
+.B ettercap -NCza -D 100 192.168.0.1 192.168.0.2 55:23:A5:B4:C7:89 00:A3:56:FE:4F:6D
+.Sp
+Collect password to stdout on a switched LAN. this will poison the two host 192.168.0.1
+and 192.168.0.2 each other. The delay between arp replies is set to 100 sec.
+.TP
+.B ettercap -Np triton
+.Sp
+Launch the plugin "triton" that will try to passively search for the LAN gateway.
+.TP
+.B ettercap -Np ooze victim.mynet.org
+.Sp
+Launch the plugin "ooze" that will portscan the host "victim.mynet.org" that will be translated
+with the right IP
+
+.SH PLATFORMS
+Linux 2.0.x  2.2.x  2.4.x
+.br
+FreeBSD 4.x
+.br
+OpenBSD 2.[789]
+.br
+NetBSD 1.5
+.br
+Mac OS X (darwin 1.3)
+
+
+.SH FILES
+/usr/share/ettercap/etter.conf - the config file
+.br
+/usr/share/ettercap/etter.filter - the filter chains
+.br
+/usr/share/ettercap/etter.ssl.crt - the SSL certificate for HTTPS m-i-t-m
+.br
+/usr/share/ettercap/mac-fingerprints - the network adapter vendor database
+.br
+/usr/share/ettercap/nmap-os-fingerprints - the nmap (c) Fyodor os fingerprint
+.br
+/usr/doc/ettercap-0.5.4/* - the DOCUMENTATION
+
+
+.SH AUTHORS
+Alberto Ornaghi (ALoR) <alor@users.sourceforge.net>
+.br
+Marco Valleri (NaGA) <crwm@freemail.it>
+
+
+.SH AVAILABILITY
+http://ettercap.sourceforge.net/download/
+.Sp
+Or if you want to do an automatic check of the latest version try "ettercap -vy"
+
+
+.SH BUGS
+Our software never has bugs.
+.br
+It just develops random features.   ;)
+.PP
+.B KNOWN-BUGS
+.PP
+- It is better that you don't launch ettercap on a host that is a gateway
+because it needs to disable ip_forwarding, it may cause problem with routing.
+.PP
+- You cannot use plugins on yourself. outgoing link layer packets are not
+captured by the same socket, so they will be ignored.
+.PP
+- While poisoning on a switched LAN, ettercap won't sniff the traffic made
+by your host to others. the technical reason is: otherwise ettercap will
+forward your packets two time (and this is not good...) the artistic
+reason is: why sniffing yourself with a man-in-the-middle method ? use
+simple sniffing instead ! ;)
+.PP
+- While sniffing in Public ARP mode, ettercap can "view" only one way of
+the connection, so some protocol dissectors can fail...
+.PP
+- under X11 resizing the xterm can give a corrupted visualization of the
+interface. SIGWINCH is *partially* supported.
+.PP
+- ettercap doesn't handle fragmented packets... only the first segment
+will be displayed by the sniffer. However all the fragments are correctly
+forwarded.
+.PP
++ please send bug-report, patches or suggestions to <alor@users.sourceforge.net>
+or visit http://ettercap.sourceforge.net/forum/  and post it in the BUGS section.
+.PP
++ to report a bug, recompile ettercap with 'configure --enable-debug'
+and attach ettercap_debug.log to the mail in which U explain the problem.
diff -uNr ettercap-0.6.3.1.orig/ettercap.spec ettercap-0.6.3.1/ettercap.spec
--- ettercap-0.6.3.1.orig/ettercap.spec Thu Jan  1 01:00:00 1970
+++ ettercap-0.6.3.1/ettercap.spec      Sun Feb 10 16:22:15 2002
@@ -0,0 +1,40 @@
+%define prefix /usr
+
+Summary:    ettercap is a ncurses-based sniffer/interceptor utility
+Name:       ettercap
+Version:    0.5.4
+Release:    1
+Serial:     20010906
+Packager:   ALoR <alor@users.sourceforge.net>
+Source:     http://ettercap.sourceforge.net/download/%{name}-%{version}.tar.gz
+URL:        http://ettercap.sourceforge.net/
+License:    GPL
+Group:      Networking/Utilities
+Prefix:     %{prefix}
+Buildroot:  %{_tmppath}/%{name}-%{version}-root
+
+%description
+ettercap is a multipurpose sniffer/interceptor/logger for switched or "hubbed" LAN.
+
+%prep
+%setup -q
+
+%build
+./configure --prefix=%{prefix} --disable-debug --mandir=%{_mandir}
+make
+make plug-ins
+
+%install
+rm -rf $RPM_BUILD_ROOT
+make install DESTDIR=$RPM_BUILD_ROOT
+make plug-ins_install DESTDIR=$RPM_BUILD_ROOT
+
+%clean
+rm -rf $RPM_BUILD_ROOT
+
+%files
+%defattr(-,root,root)
+%{_mandir}/man8/*
+%doc COPYING README README.PLUGINS HISTORY CHANGELOG AUTHORS TODO THANKS KNOWN-BUGS PORTINGS
+%{prefix}/bin/*
+%{prefix}/share/ettercap/*