I captured a HTTP & FTP authentication and save it into a pcap file.
When I analyse this pcap file with wireshark I can see the session & credentials.

I generate a *.eci file for etterlog with the following command:

ettercap -r foo.cap -Tq -l foolog.eci


when I analyse the same "foolog.eci" file with the following command:

etterlog -p foolog.eci

on BT4R2 i got a result like:

149.20.20.133 (ftp.kernel.org) TCP 21 USER: ftp PASS: test@gmail.com
157.166.255.80 (audience.cnn.com) TCP 80 USER: test@gmail.com PASS: f00b4r INFO: http://www.cnn.com/


on BT5 i got no result:


I checked etterlog dep.:

on BT4R2:

ldd /usr/bin/etterlog
linux-gate.so.1 => (0xffffe000)
libz.so.1 => /usr/lib/libz.so.1 (0xb76d2000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb76be000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb76a4000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb754a000)
/lib/ld-linux.so.2 (0xb7700000)

on BT5

ldd /usr/bin/etterlog
linux-gate.so.1 => (0xb76f7000)
libz.so.1 => /lib/libz.so.1 (0xb76ce000)
libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb76ba000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb76a0000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7546000)
/lib/ld-linux.so.2 (0xb76f8000)

locks similar. any ideas?