# Install ettercap with Homebrew, apk, apt, dnf, MacPorts, Nix, pacman

Multipurpose sniffer/interceptor/logger for switched LAN. Version 0.8.4.1 via Homebrew; verified 2026-06-25.

## Install

```sh
sudo av install brew:ettercap
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install ettercap
```

  Evidence: local Homebrew formula metadata

- MacPorts (94%):

```sh
sudo port install ettercap
```

  Evidence: MacPorts ports tree: net/ettercap/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1

### Linux

- apk (92%):

```sh
sudo apk add ettercap
```

  Evidence: Alpine Linux edge package indexes: ettercap from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz

- Debian apt (92%):

```sh
sudo apt install ettercap-common
```

  Evidence: Debian stable package indexes: ettercap-common from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz

- dnf (92%):

```sh
sudo dnf install ettercap
```

  Evidence: Fedora Rawhide package metadata: ettercap from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst

- Nix (92%):

```sh
nix profile install nixpkgs#ettercap
```

  Evidence: nixpkgs package indexes: pkgs/by-name/et/ettercap/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1

- pacman (92%):

```sh
sudo pacman -S ettercap
```

  Evidence: Arch Linux sync databases: ettercap from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz

## Package facts

- **Package key:** brew:ettercap
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/ettercap>
- **Version:** 0.8.4.1
- **Source summary:** Multipurpose sniffer/interceptor/logger for switched LAN
- **Homepage:** <https://ettercap.github.io/ettercap/>
- **Repository:** <https://github.com/Ettercap/ettercap>
- **Upstream docs:** <https://ettercap.github.io/ettercap>
- **License:** GPL-2.0-or-later
- **Source archive:** <https://github.com/Ettercap/ettercap/archive/refs/tags/v0.8.4.1.tar.gz>
- **Last updated:** 2026-06-25T13:37:40+02:00
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- ettercap (cli)
- ettercap-pkexec (cli)
- etterfilter (cli)
- etterlog (cli)
- ettercap (alias)
- ettercap-pkexec (alias)
- etterfilter (alias)
- etterlog (alias)

## Dependencies

- at-spi2-core
- cairo
- freetype
- gdk-pixbuf
- glib
- gtk+3
- libmaxminddb
- libnet
- ncurses
- openssl@3
- pango
- pcre2

## Build dependencies

- cmake

## Uses from macOS

- curl
- libpcap

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 0.8.4.1
- Package-manager updated: 2026-06-25
- Local data: ok
- Upstream repository: https://github.com/Ettercap/ettercap
- info: No cached GitHub release or tag data was available.
## Project history and usage

Ettercap is a long-running open-source network security suite for man-in-the-middle work on local networks. Its command-line package provides sniffing, interception, packet filtering, logging, protocol dissection, and host/network analysis tools for switched LAN environments.

### Project history

Ettercap dates to the early 2000s; the current GitHub README identifies the project copyright as 2001-current by the Ettercap development team. Early package descriptions framed it as a multipurpose sniffer, interceptor, and logger for switched LANs, a niche that mattered when Ethernet switching made simple hub-style packet sniffing less effective.

The Ettercap-NG generation in the mid-2000s broadened the tool with a modernized interface, plugins, multiple simultaneous MITM attacks, and a more structured core. The official download history shows NG releases in 2004 and 2005, the Lazarus line in 2011 and 2012, the 0.8 series beginning in 2013, and later Garofalo releases continuing maintenance into 2026.

### Adoption history

Ettercap became a standard security-lab and penetration-testing package because it combined active and passive protocol dissection with practical MITM mechanisms such as ARP poisoning, bridged sniffing, filtering, and connection logging. Its package metadata across Unix-like systems reflects that role: it is distributed in Homebrew, Debian and Ubuntu, Fedora, Arch, Alpine, MacPorts, Nix, and other security-oriented environments.

The project has remained recognizable because it occupies the space between packet analyzers and attack simulators. Users can capture and analyze traffic like a sniffer, but can also alter or redirect traffic in ways useful for authorized testing of LAN trust assumptions.

### How it is used

The main `ettercap` program is used in text, curses, or graphical modes to discover hosts, select targets, run MITM modules, sniff traffic, and apply filters. Companion commands such as `etterfilter` and `etterlog` support compiling packet filters and inspecting saved logs.

The manual documents practical workflows such as ARP poisoning, bridge-mode interception with two interfaces, pcap-filtered capture, offline analysis from pcap files, and writing captured packets for later inspection with tools such as tcpdump or Wireshark.

### Why package nerds care

Ettercap is package-nerd significant because it is a classic security tool whose build and runtime surface spans libpcap, libnet, OpenSSL, plugin support, terminal UI, optional GTK UI, GeoIP/MaxMind data, and privileged network access. Packaging it correctly means preserving both the text-mode toolchain and the surrounding data/config layout.

It also shows why security packages age differently from ordinary CLIs: release history is full of protocol-support updates, build fixes, memory-safety fixes, and CVE-related maintenance, while the core LAN-testing workflow remains recognizable decades after the first releases.

### Timeline

- 2001: Ettercap project lineage begins, according to the current project README copyright range.
- 2004: Ettercap-NG 0.7.2 release appears in the official download history.
- 2005: Ettercap-NG 0.7.3 release adds filter-engine operators and plugin/security fixes.
- 2013: Ettercap 0.8.0 begins the 0.8 release series.
- 2020: Ettercap 0.8.3.1 ships further TLS, build, and runtime fixes.
- 2026: Ettercap 0.8.4.1-Garofalo fixes a heap out-of-bounds read in etterfilter.

### Related projects

- Wireshark and tcpdump are commonly adjacent analysis tools; Ettercap can write captured packets for later use in packet analyzers.
- Ettercap's own companion tools include etterfilter for filters and etterlog for log inspection.

### Sources

- <https://www.ettercap-project.org/>
- <https://www.ettercap-project.org/downloads.html>
- <https://github.com/Ettercap/ettercap>
- <https://github.com/Ettercap/ettercap/blob/master/man/ettercap.8.in>


## Security Notes

escape, surveillance, or offensive capability signal.

- **Geiger risk:** red / medium
- escape, surveillance, or offensive capability signal


## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: /etc/etter.conf
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** ettercap
- **Version Scheme:** 0
- **Revision:** 0
- **Head Version:** HEAD
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** head, stable

## Other Package-Manager Records

- Debian apt - ettercap-common - 1:0.8.3.1-14: normalized package name match | Debian stable package indexes: ettercap-common from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Multipurpose sniffer/interceptor/logger for switched LAN | https://ettercap.github.io/ettercap/
- Debian apt - ettercap-graphical - 1:0.8.3.1-14: normalized package name match | Debian stable package indexes: ettercap-graphical from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Ettercap GUI-enabled executable | https://ettercap.github.io/ettercap/
- Debian apt - ettercap-text-only - 1:0.8.3.1-14: normalized package name match | Debian stable package indexes: ettercap-text-only from https://deb.debian.org/debian/dists/stable/main/binary-amd64/Packages.xz | Ettercap console-mode executable | https://ettercap.github.io/ettercap/
- Nix - ettercap: normalized package name match | nixpkgs package indexes: pkgs/by-name/et/ettercap/package.nix from https://api.github.com/repos/NixOS/nixpkgs/git/trees/master?recursive=1
- Ubuntu apt - ettercap-common - 1:0.8.3.1-13build3: normalized package name match | Ubuntu 24.04 LTS package indexes: ettercap-common from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Multipurpose sniffer/interceptor/logger for switched LAN | https://ettercap.github.io/ettercap/
- Ubuntu apt - ettercap-graphical - 1:0.8.3.1-13build3: normalized package name match | Ubuntu 24.04 LTS package indexes: ettercap-graphical from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Ettercap GUI-enabled executable | https://ettercap.github.io/ettercap/
- Ubuntu apt - ettercap-text-only - 1:0.8.3.1-13build3: normalized package name match | Ubuntu 24.04 LTS package indexes: ettercap-text-only from https://archive.ubuntu.com/ubuntu/dists/noble/universe/binary-amd64/Packages.gz | Ettercap console-mode executable | https://ettercap.github.io/ettercap/
- apk - ettercap - 0.8.4.1-r0: normalized package name match | Alpine Linux edge package indexes: ettercap from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Multipurpose sniffer/interceptor/logger for switched LAN | https://www.ettercap-project.org/
- apk - ettercap-doc - 0.8.4.1-r0: normalized package name match | Alpine Linux edge package indexes: ettercap-doc from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Multipurpose sniffer/interceptor/logger for switched LAN (documentation) | https://www.ettercap-project.org/
- apk - libettercap - 0.8.4.1-r0: normalized package name match | Alpine Linux edge package indexes: libettercap from https://dl-cdn.alpinelinux.org/alpine/edge/testing/x86_64/APKINDEX.tar.gz | Multipurpose sniffer/interceptor/logger for switched LAN (libraries) | https://www.ettercap-project.org/
- dnf - ettercap - 0.8.4.1-1.fc45: normalized package name match | Fedora Rawhide package metadata: ettercap from https://dl.fedoraproject.org/pub/fedora/linux/development/rawhide/Everything/x86_64/os/repodata/e5ca8ce900cd68f5419e1c39ae517343100b306336cbaeb70a3c153121d95094-primary.xml.zst | Network traffic sniffer/analyser, NCURSES interface version | http://ettercap.sourceforge.net
- pacman - ettercap - 0.8.4.1-1: normalized package name match | Arch Linux sync databases: ettercap from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Network sniffer/interceptor/logger for ethernet LANs - console | https://www.ettercap-project.org/
- pacman - ettercap-gtk - 0.8.4.1-1: normalized package name match | Arch Linux sync databases: ettercap-gtk from https://geo.mirror.pkgbuild.com/extra/os/x86_64/extra.db.tar.gz | Network sniffer/interceptor/logger for ethernet LANs - GTK frontend | https://www.ettercap-project.org/
- MacPorts - ettercap: normalized package name match | MacPorts ports tree: net/ettercap/Portfile from https://api.github.com/repos/macports/macports-ports/git/trees/master?recursive=1


## Related links

- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Secret-risk packages](https://www.automicvault.com/pkg/secret-risk-packages/) - Has protected-tool coverage, approval-gate, or non-low Geiger security signals.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Networking and protocol packages](https://www.automicvault.com/pkg/networking-protocol-tools/) - Matched network, protocol, or remote-service metadata.
- [cairo](https://www.automicvault.com/pkg/brew/cairo/) - Runtime dependency declared by Homebrew.
- [freetype](https://www.automicvault.com/pkg/brew/freetype/) - Runtime dependency declared by Homebrew.
- [gdk-pixbuf](https://www.automicvault.com/pkg/brew/gdk-pixbuf/) - Runtime dependency declared by Homebrew.
- [glib](https://www.automicvault.com/pkg/brew/glib/) - Runtime dependency declared by Homebrew.
- [gtk+3](https://www.automicvault.com/pkg/brew/gtk-3/) - Runtime dependency declared by Homebrew.
- [libmaxminddb](https://www.automicvault.com/pkg/brew/libmaxminddb/) - Runtime dependency declared by Homebrew.
- [libnet](https://www.automicvault.com/pkg/brew/libnet/) - Runtime dependency declared by Homebrew.
- [cmake](https://www.automicvault.com/pkg/brew/cmake/) - Build dependency declared by Homebrew.
- [arpoison](https://www.automicvault.com/pkg/brew/arpoison/) - Shares av.db curated category or tags: cli, network-security, security.
- [fragroute](https://www.automicvault.com/pkg/brew/fragroute/) - Shares av.db curated category or tags: cli, network-security, security.
- [rshijack](https://www.automicvault.com/pkg/brew/rshijack/) - Shares av.db curated category or tags: cli, network-security, security.
- [suricata](https://www.automicvault.com/pkg/brew/suricata/) - Shares av.db curated category or tags: cli, network-security, security.
- [fwknop](https://www.automicvault.com/pkg/brew/fwknop/) - Shares av.db curated category or tags: cli, network-security, security.
- [bettercap](https://www.automicvault.com/pkg/brew/bettercap/) - Shares av.db curated category or tags: cli, network-security, security.
- [killswitch](https://www.automicvault.com/pkg/brew/killswitch/) - Shares av.db curated category or tags: cli, network-security, security.
- [openssh](https://www.automicvault.com/pkg/brew/openssh/) - Shares av.db curated category or tags: cli, network-security, security.
- [zeek](https://www.automicvault.com/pkg/brew/zeek/) - Security-sensitive metadata or terminology overlaps. Shared terms: analysis, cli, libmaxminddb, network, network-security.
- [gpa](https://www.automicvault.com/pkg/brew/gpa/) - Security-sensitive metadata or terminology overlaps. Shared terms: at-spi2-core, cairo, cli, core, gdk.

## Combined YAML source

View the package source record on GitHub. [combined/ettercap.yml](https://github.com/automic-vault/db/blob/main/combined/ettercap.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- external package-manager database matches
- cross-ecosystem install command graph
