Related Security Tools


Read before using


UCSniff Special Thanks

A special thanks goes out to all of the developers, contributors, and authors of Ettercap. Ettercap is simply an awesome security tool. We re-used the ARP Poisoning, dissector design, and re-direction capabilities of Ettercap within UCSniff.

Using the UCSniff GUI

UCSniff GUI simplifies eavesdropping security tests, making it incredibly easy to run UCSniff. Here are some informal instructions on some basic usage instructions for running UCSniff.

Start the UCSniff GUI

  1. Fire up UCSniff GUI from a terminal.

1. Select interface

You can specify the default interface, or a vlan interface that has been already created with another program. In the screen shot below, I could select eth0 or the voice vlan interface, eth0.99.

2. Select Mode

  1. Select your mode: either MitM or Monitor mode. A description of the difference between these modes is contained in the USAGE file. We will select MitM mode here.
  2. Then after you have selected MitM Mode, you have two sub-modes to select from. You must choose either learning or target mode. You can read more about the difference between these two options in the USAGE file.

Start UCSniff in Learning Mode

After selecting "Learning Mode", all you need to do is hit the "Start UCSniff" button.

Start UCSniff in Target Mode

Target mode is the recommended way to run UCSniff during an authorized pentest, with lowest risk of service impact. When you select Target mode, you will be prompted from a list of Targets. You can manually build the targets list, or you can run UCSniff in Learning Mode, letting UCSniff automatically build it. The file 'targets.txt' is parsed when you launch UCSniff GUI from the working directory.

Select the user you would like to target, and then the red X button, as shown below. Then, select "Start UCSniff" button.

These users were selected from the following targets.txt file:

Stopping UCSniff

Make sure you always select the "Stop UCSniff" button after you are finished using UCSniff. This re-ARPs the victims.


If you are sniffing on a flat network and the interface of your station already has an IP address in the voice network, then there is no need to VLAN Hop. However, if you need to VLAN Hop such as in an environment that uses Voice VLANs with CDP, then set VLAN Hop to 'Yes'. You will then have the option to spoof CDP, Sniff CDP, or Specify the VLAN ID.

ACE Directory Option

To specify download of the VoIP Corporate directory, you can input the MAC Address of the Cisco Unified IP Phone. This feature works in environments that use Cisco UCM with the VoIP Corporate directory feature enabled. For more information on ACE, see here.

Realtime Monitor

After you have started UCSniff and the Unified Sniffing has started, you should see several new tabs at the top of UCSniff.

When UCSniff detects an active SIP call, you should see information on the call appear in the main "Status and Output" window. When this happens, you can tab over to the Active Calls tab. You will see information displayed about the active calls, as shown below. Double-clicking one of the column headers (Destination Username) will refresh this display.

To start the Realtime Monitor for the active call that is in progress, simply scroll down on the Live Monitor drop down column, selecting Start.

For VoIP-only calls, this will automatically output Audio to your system's speakers. For IP Video calls in progress, this will open up two VLC media player plugin windows. One side of the video media player plugin window will be the calling video user, and the other will be the display shown to the called video user. The audio will automatically be played as well.

The screen shot below depicts what this looks like in action.

To stop the Live Monitor for the active call, simply select "Stop" from the Live Monitor drop down menu, as shown below.

Miscellaneous Options

There are several miscellaneous options that can be enabled for UCSniff. Make sure that you select these options before starting UCSniff. For a description of these options, see the USAGE file.