• URLs being visited.
    • HTTPS hosts being visited.
    • HTTP POSTed data.
    • HTTP Basic and Digest authentications.
    • HTTP Cookies.
    • FTP credentials.
    • IRC credentials.
    • POP, IMAP and SMTP credentials.
    • DICT Protocol credentials.
    • MPD Credentials.
    • NNTP Credentials.
    • DHCP messages and authentication.
    • REDIS login credentials.
    • RLOGIN credentials.
    • SNPP credentials.
    • And more!

    Note

    New parsers are implemented almost on a regular basis for each new release, for a full and updated list check the SNIFFING section in the “bettercap —help” menu.

    Use bettercap as a simple local network sniffer:

    sudo bettercap --local or sudo bettercap -L

    Use the capture.pcap file in your home directory as a packets source:

    Spoof the whole network and save every packet to the capture.pcap file in your home directory:

    sudo bettercap --sniffer-output ~/capture.pcap

    Spoof the whole network but only sniff HTTP traffic:

    sudo bettercap --sniffer-filter "tcp port http"

    Spoof the whole network and extract data from packets containing the “password” word:

    Options

    -X, --sniffer

    Enable sniffer.

    By default bettercap will only parse packets coming from/to other addresses on the network, if you also want to process packets being sent or received from your own computer you can use this option ( NOTE: will enable the sniffer ).

    --sniffer-source FILE

    Load packets from the specified PCAP file instead of the network interface ( NOTE: will enable the sniffer ).

    --sniffer-output FILE

    Save all packets to the specified PCAP file ( NOTE: will enable the sniffer ).

    --sniffer-filter EXPRESSION

    Configure the sniffer to use this ( NOTE: will enable the sniffer ).

    -P, --parsers PARSERS

    Use a custom regular expression in order to capture and show sniffed data ( NOTE: will enable the sniffer ).