ettercap-gg - Gadu-Gadu IM ettercap dissector


ettercap-gg is a Gadu-Gadu IM ettercap dissector.

It is a patch for ettercap sniffer that adds the ability to intercept Gadu-Gadu logins, passwords and messages.

Gadu-Gadu ( is the most widely used IM network in Poland with ~6mln users.

Protocol description taken from + own research (7.x).

The newest version can be found at

You can find the ettercap source tarball at

Copyright (C) Michal Szymanski


The current version is 0.2, which has been released on 2007/06/15. You can download it from here.


- supports following gadu-gadu protocols: 4.x, 5.x, 6.x, 7.x
- intercepts sent/received messages
- intercepts gg numbers, password hashes and seeds (can be bruteforced by ggbrute)
- intercepts status descriptions
- notifies about status changes
- intercepts gg server/client ip addresses
- intercepts gg user's local/remote ip addresses
- intercepts gg connections to port 8074 and 443
- determines Gadu-Gadu version

EXAMPLE SESSION - version 0.2

ARP poisoning victims:

 GROUP 1 : 00:01:20:02:34:21

 GROUP 2 : 00:0A:84:D8:28:F5

Starting Unified sniffing...

Text only Interface activated...
Hit 'h' for inline help

GG : -> - WELCOME  SEED: 0xAD130562 (2903704930)
GG7 : -> - LOGIN  UIN: 5114529  PWD_HASH: 0x21D13E38992A341DD33BB52DDFA2382A173A5361  STATUS:  (invisible + private)  VERS
ION: 7.7  LIP:  RIP:
GG : -> - SEND_MSG  RECIPIENT: 7244283  MESSAGE: "wiadomosc testowa"
GG : -> - RECV_MSG  SENDER: 7244283  MESSAGE: "dzieki za wiadomosc"
GG7 : -> - STATUS CHANGED  UIN: 7244283  STATUS: a swistak siedzi i zawija (busy + descr)  VERSION: 7.6  RIP:

GG : -> - WELCOME  SEED: 0x1D66B45F (493270111)
GG4/5 : -> - LOGIN  UIN: 5114529  PWD_HASH: 0x1B85493D (461719869)  STATUS: zaraz weekend (invisible + descr + private)  V
ERSION: 4.8 + has audio  LIP:
GG : -> - STATUS CHANGED  UIN: 2688291  STATUS: i co ja bede robil przez te 4 dni ... (not available + descr)
GG : -> - NEW STATUS  STATUS: goraaaaaaaaaaaaaco!!!!!!!!! (busy + descr + private)


Apply Gadu-Gadu dissector patch and compile ettercap as you used to do before:

patch -p0 < ettercap-NG-0.7.3-gg_dissector_02.patch
cd ettercap-NG-0.7.3
make install

Alternatively you can install fedora core 6 rpm package (it requires libpcap, libnet, zlib, libtool, pcre, openssl, ncurses, gtk+, pkgconfig, glib, atk, pango installed):

rpm -Uhv ettercap-NG-0.7.3-gg_dissector_02.i386.rpm

All the files you can find at

Normally Gadu-Gadu dissector is installed on port number 8074 (appropriate entry is added to etter.conf file). If you want to enable dissector to intercept traffic on port 443 as well - just turn off https dissector (there can be only one dissector on the same port at the same time) by editing etter.conf file and changing following line:

https = 443              # tcp    443


https = 0                # tcp    443

After that all you need to do is to add 443 port to gg dissector:

gg = 8074,443            # tcp    8074

If you want to see all contacts status changes you should uncomment GG_CONTACTS_STATUS_CHANGES define before compilation - but be careful using this option in really big networks - it could mess up your whole screen !

That's all. Play wisely.



- added interception of sent/received messages
- added interception of status descriptions
- added notification about status changes
- added interception of gg server/client ip addresses
- added interception of gg user's local/remote ip addresses
- added determination of Gadu-Gadu version
- tiny bugfixes

v0.1 (initial release):

- added support for following gadu-gadu protocols: 4.x, 5.x, 6.x, 7.x 
- added interception of gg numbers, password hashes and seeds
- added interception of gg connections to port 8074 and 443 


- wpkontakt support (sessions management needed)
- std_gg/kadu/ekg/wpkontakt fingerprinting (additional research needed)
- sms sniffing? (already implemented through http dissector)
- nat detection


ettercap-gg -

ettercap -

ggsniff -

dsniff -

GGNiuf -

GGSpy -

Gadu-Gadu protocol description -

Gadu-Gadu official website -