Bettercap — Network Attack and Monitoring Framework

Introduction

Bettercap is a network security tool for WiFi, Bluetooth Low Energy, IP, and HID device reconnaissance and testing. It replaces the older Ettercap and provides a modern, extensible framework for authorized network security assessments with both a CLI and a web-based UI.

What Bettercap Does

• Performs ARP, DNS, and DHCP spoofing for man-in-the-middle testing on local networks
• Scans and enumerates WiFi access points, clients, and performs deauthentication tests
• Discovers and interacts with Bluetooth Low Energy devices and HID peripherals
• Captures and analyzes network traffic with real-time credential sniffing
• Provides a scriptable caplet system for automating multi-step assessments

Architecture Overview

Bettercap is written in Go with a modular session-based architecture. Each protocol handler (net, wifi, ble, hid) runs as an independent module within a shared session context. The event bus connects modules, allowing triggers and automated responses. The web UI communicates via a REST API backed by the core session engine.

Self-Hosting & Configuration

• Requires root or sudo privileges for raw socket and monitor mode access
• WiFi features need a wireless adapter that supports monitor mode
• Caplet scripts define reusable attack and monitoring sequences
• The web UI runs on a configurable local port with HTTP basic authentication
• Supports output logging to file, JSON, or custom event handlers

Key Features

• Unified framework covering WiFi, BLE, Ethernet, and HID attack surfaces
• Interactive JavaScript-based caplet scripting for complex workflows
• Real-time web UI dashboard with network visualization
• Transparent HTTP and HTTPS proxying with request and response manipulation
• Extensible module system with community-contributed caplets

Comparison with Similar Tools

• Ettercap — predecessor tool for LAN MITM; Bettercap is a modern rewrite with broader protocol coverage
• Aircrack-ng — focused on WiFi cracking; Bettercap covers WiFi plus BLE, HID, and IP layers
• Wireshark — passive packet analysis; Bettercap actively interacts with the network
• mitmproxy — HTTP/HTTPS proxy tool; Bettercap provides full network-layer MITM beyond HTTP
• Kismet — wireless monitoring and detection; Bettercap adds active testing capabilities

FAQ

Q: What operating systems does Bettercap support? A: Linux is the primary platform with full feature support. macOS and Windows have partial support, mainly for IP-based modules.

Q: Do I need special hardware? A: IP-based features work with any network interface. WiFi features require a monitor-mode-capable adapter. BLE requires a compatible Bluetooth dongle.

Q: Is a web UI available? A: Yes. The http-ui and https-ui caplets launch a browser-based dashboard for real-time monitoring and control.

Q: Can I automate assessments? A: Caplet scripts allow chaining commands and defining triggers. You can run complete assessment workflows unattended.

Sources

• https://github.com/bettercap/bettercap
• https://www.bettercap.org/