ECSniff: The EnigmaCurry Network Sniffer

January 13, 2006 at 12:07 AM | categories: python, software | View Comments


Command line options
Example Usage
Revision History


This is my take on a network sniffer. It allows you to see interesting data that is on your network. Not just the data that is intended for your computer but for other computers on the same LAN as well. So far, this has only been tested on Gentoo Linux x86_64, but should work on any platform that supports Python as well as libpcap (Most Linux distros already have this installed) or Winpcap (for windows).

This software is intended for educational purposes. Nevertheless, usage is granted to anyone under the terms of the GNU General Public Licence version 2. What you do with it, as well as the consequences of using it, is your own responsibility.


Version 0.6 has the following features:

  • Log HTTP web page accessess
  • Log HTTP authentication attempts (username and password)
  • Log MSN instant messages
  • Log POP3 email authentication attempts (username and password)
  • Log FTP authentication attempts (username and password)
  • Subnet filtering -- This allows you to stay out of trouble by only logging some computers
  • Write all log info to a file for later analysis



Command line options

  --version             show program's version number and exit
  -h, --help            show this help message and exit
  --subnet=IP/netmask   Only display data for a specific subnet. eg:
  --pop3                Log POP3 usernames and passwords
  --httpauth            Log HTTP usernames and passwords
  --http                Log HTTP/WWW page accesses
  --msn                 Log MSN messenger messages
  --ftp                 Log FTP usernames and passwords
  -e, --everything      Log Everything
  -d device, --device=device
                        device to sniff (eth0, wlan0 etc)
  -l file, --log=file   log results to file
  -q, --quiet           don't display events on stdout

Example Usage:

These examples assume you are running Linux. Linux requires you to have root access in order to log data from the network device. So do the following commands as root or with the sudo command. In these examples, wlan0 is my network device. Change the devicename to whatever device you want to examine (eth0 is usual).

Log all POP3 email connections:

./ -d wlan0 --pop3

Log all HTTP web page accesses and also log HTTP Basic Authentication attempts:

./ -d wlan0 --http --httpauth

Log all MSN messages making sure to only log messages in and out of a particular machine with a local IP address of

./ -d wlan0 --msn --subnet=

Subnet filtering is a very important feature. It can be illegal for you to log network traffic of computers that you are not the legal user of. By default, ecsniff will log all packets regardless of their source or destination. By specifying a subnet, you can limit which IP addresses are logged. With subnet filter turned on, all packets that are logged will either be from the specified subnet or be destined to that subnet.

Log Everything (that ecsniff is desinged for) from the local lan (subnet netmask

./ -d wlan0 --everything --subnet=

You can specify the subnet using either the full netmask ( or by it's shorthand (like in the example before)

If you are unfamiliar with netmask shorthand see this page


Is this a hacker tool and is it illegal?

The purpose of this program is to be a DEMONSTRATION that we still use some pretty insecure protocols these days. It is is probably useful to the script-kiddie as well, but that is not my intention. In some countries it is illegal to eavesdrop on communication that is not your own. So don't go eavesdropping on other people's business!

I don't want to break the law, how can I just look at MY network traffic?

If you want to stay out of trouble, use the --subnet option. For instance if your local IP address is and you only want to log your own traffic use the option "--subnet=". You won't see any one else's traffic but your own.

How can I avoid being a victim of this or similar programs?

Use encryption! Don't use any network protocol that sends information in plain-text for transmitting information that you think is important. For email, use the GNU Privacy Guard with SSL for authentication. For instant messaging, use Gaim with Gaim-Encryption (works on all networks, MSN, Yahoo, AIM etc). For Websites that ask for a password, always make sure that SSL is enabled, if you don't see the lock icon, don't use that website... and never, ever, use Telnet.

I am trying to see traffic on my LAN, but I can't see any other traffic but my own.

In order to be able to see other computer's traffic you have to physically be on the same network segment. Traditionally, when you network computers together using a hub, every computer hooked into that hub (or secondary hubs that are plugged into it) are all on the same segment. Today, more often than not, we use switches not hubs. A switched network uses a unique network segment for each port on the switch. This is done for two reasons: 1) The network is faster if data only has to travel to the intended recipient and 2) People realized that hubs were a major security risk in that anyone could sniff out other people's data (as this program shows).

Even if you are on a switched network, however, you can still sniff the data from all computers if you have physical access to the network equipment. You can use a switch that has a 'port mirror'. A switch that has such a feature will allow you to replicate all traffic on one port (or on a good switch, from all ports) to any other port. In this sense the switch acts like a hub, but only on one specific port (the port you'll use for the sniffing).

Another option, if your switch doesn't support port mirroring, is an ethernet tap. An ethernet tap is something you plug in line with your gateway. All traffic goes through normally, but it also allows you to sniff data right off the line. Here are some instructions for building one very inexpensively. The real nice thing about this particular network tap is that it is completely passive; the transmit lines on the sniffer computer don't go anywhere, so the sniffer computer just "sees" the data that is on the line and cannot "touch" the data or add new data. So, with a tap, no one will find your sniffer, that is, unless they physically find the tap.

One caveat about a tap is that it seperates the full duplex communication into two half duplex signals on two ports. So you have one port having everything sent by Computer A and the second port everything from Computer B. If you want to analyze both Receving and Transmitting on one interface (which currently this program requires) you need to consolidate the two signals back into one. You can use a switch that has port spanning capabilities to do this.

See the Ethereal Capture Setup page for more setups that allow packet capture on switched networks.

Revision history:

  • 0.6 - Jan 18, 2006 - Now includes MSN messenger logging, HTTP web page access logging, FTP authentication logging, and Subnet filtering. Licencing information is more explicit. Things are more organized in seperate .py files.
  • 0.5 - Jan 13, 2006 - Initial Release. Can scan for pop3 email username and password as well as HTTP Basic Authentications.
blog comments powered by Disqus