Bettercap Essentials
Bettercap is a modular network reconnaissance and security-auditing framework — a single Go binary that discovers hosts, maps a network, sniffs traffic, probes Wi-Fi and Bluetooth Low Energy, and can demonstrate man-in-the-middle conditions for testing. It's the modern successor to tools like Ettercap, used by penetration testers and network defenders to understand and harden the networks they own. This guide covers installation across platforms and the core workflow for safe, authorized network discovery.
Bettercap is organized into modules you turn on and off inside a session, and caplets — small script files that chain commands together to automate a workflow. Understanding this split is most of the learning curve.
| Concept | Meaning |
|---|---|
| Module | A capability you enable, e.g. net.probe (discover hosts), net.recon (track them), net.sniff (capture traffic) |
| Caplet | A .cap script of bettercap commands run in sequence — reusable playbooks (e.g. http-ui) |
| Session | The interactive prompt where you type commands and read events |
| Events stream | events.stream — the live log of everything bettercap observes |
| Web UI | An optional browser dashboard, launched via the http-ui / https-ui caplet |
| Module family | Covers |
|---|---|
| IPv4 / IPv6 | Host and topology discovery, sniffing, spoofing on Ethernet/Wi-Fi networks |
| WiFi | Access-point and client discovery, channel hopping, handshake capture |
| BLE | Bluetooth Low Energy device scanning and characteristic enumeration |
| HID | 2.4 GHz wireless keyboard/mouse research |
| Proxies | Packet-, TCP-, and HTTP/HTTPS-level traffic inspection and manipulation |
The fastest routes. On security distributions, bettercap is already packaged; elsewhere, grab the precompiled binary from GitHub releases.
libpcap is the packet-capture library bettercap depends on; libnetfilter-queue is needed (Linux only) for some traffic-manipulation features. The packaged Kali version pulls these in automatically.Prefer a container, or want the bleeding-edge build? Both are supported. The container needs host networking and elevated privileges to touch real interfaces — the same caveat as any packet tool in Docker.
--privileged --net=host gives the container full access to the host's network stack. That's required for bettercap to function, but it means the container is effectively running with host-level network privileges — only do this on a machine you control.Bettercap needs root (raw sockets) and a target interface. Launch it on the interface attached to your test network; with no caplet it drops you into the interactive prompt.
| Command | Does |
|---|---|
| help | List all modules and their on/off state |
| help net.probe | Show detailed help & parameters for one module |
| active | Show currently running modules |
| <module> on / off | Start or stop a module, e.g. net.probe on |
| get <param> | Read a config value (e.g. get net.probe.throttle) |
| set <param> <val> | Change a config value before turning a module on |
| quit | Exit the session cleanly (restores ARP tables, etc.) |
quit rather than killing the process. Modules that alter network state (spoofing, proxies) clean up after themselves on a graceful exit; a hard kill can leave hosts with poisoned ARP entries until their caches expire.The bread-and-butter of authorized auditing: find out what's actually on your network. net.probe sends discovery packets, net.recon keeps the host list updated, and net.show prints the table.
Within seconds you'll see a table of every device that answered — IP, MAC address, hardware vendor (derived from the MAC), and activity. This alone is a useful inventory: spotting an unexpected device on your own LAN is a classic defensive win.
| Module | Role in discovery |
|---|---|
| net.probe | Actively sends probes so silent hosts reveal themselves |
| net.recon | Passively maintains the host list from observed traffic |
| net.show | Displays the current known-hosts table |
| ticker | Repeats a command on an interval — handy for a live-refreshing view |
set <ip> alias mylaptop so the tables are readable. Discovery (net.probe/net.recon) is passive-to-mild and is the safe place to start learning the tool on your own network.If the command line isn't your thing, bettercap ships a browser dashboard. It's delivered as a caplet that starts an API and serves the UI. Update the UI assets once, then launch it.
By default this serves the interface on http://127.0.0.1 with a username and password defined in the caplet. Open it in a browser on the same machine and you get point-and-click access to the host list, events, and module controls.
http-ui caplet keeps it on localhost; review the caplet before changing that.Typing the same module sequence every session gets old. A caplet is a plain-text file of session commands that runs top to bottom — your reusable playbook. List the bundled ones, then write your own.
# are comments. The official caplets repo has many examples worth reading to learn the command vocabulary.Bettercap's wireless modules need a compatible adapter. Wi-Fi recon requires a card that supports monitor mode; BLE needs a Bluetooth Low Energy controller. These are discovery features — mapping what's broadcasting around you, which on your own devices is legitimate auditing.
| Command | What it does |
|---|---|
| wifi.recon on | Discover nearby access points and clients (needs monitor-mode adapter) |
| wifi.show | List discovered APs: ESSID, channel, encryption, signal |
| ble.recon on | Scan for Bluetooth Low Energy devices |
| ble.show | List discovered BLE devices and their services |
| Item | Value |
|---|---|
| Run as | root / sudo (raw sockets required) |
| Pick interface | -iface eth0 |
| Run a caplet | -caplet name.cap |
| One-off commands | -eval "cmd1; cmd2; quit" |
| Web UI | -caplet http-ui (localhost, change creds) |
| Dependencies | libpcap-dev, libnetfilter-queue-dev (Linux) |
| Update extras | caplets.update; ui.update |
| Always exit with | quit (clean state restore) |