Driftnet
Driftnet is a network packet sniffing tool that captures images, audio, and video from network traffic in real-time. It passively listens to network traffic and extracts visual content transmitted over unencrypted protocols, making it valuable for security awareness and understanding the risks of unencrypted communications.
Installation
Section titled “Installation”Ubuntu/Debian
Section titled “Ubuntu/Debian”sudo apt-get update
sudo apt-get install driftnetFrom Source
Section titled “From Source”git clone https://github.com/deiv/driftnet.git
cd driftnet
./configure
make
sudo make installArch Linux
Section titled “Arch Linux”sudo pacman -S driftnetBasic Usage
Section titled “Basic Usage”Capture Images from Network Interface
Section titled “Capture Images from Network Interface”sudo driftnet -i eth0Capture and Save Images to Directory
Section titled “Capture and Save Images to Directory”sudo driftnet -i eth0 -d /path/to/output/directoryCapture from Specific Network Interface (Wireless)
Section titled “Capture from Specific Network Interface (Wireless)”sudo driftnet -i wlan0Use with Preconfigured Filter
Section titled “Use with Preconfigured Filter”sudo driftnet -i eth0 -xVerbose Output Mode
Section titled “Verbose Output Mode”sudo driftnet -i eth0 -vCommon Commands & Options
Section titled “Common Commands & Options”| Command | Description |
|---|---|
-i <interface> | Specify network interface to sniff (eth0, wlan0) |
-d <directory> | Save captured images to specified directory |
-x | Run in X11 mode with graphical display |
-v | Verbose output showing captured content info |
-m <number> | Maximum number of images to capture |
-n | Capture audio streams instead of images |
-p | Include PPP connections in capture |
-l | Listen-only mode (no X display) |
Practical Examples
Section titled “Practical Examples”Monitor All Traffic on Primary Interface
Section titled “Monitor All Traffic on Primary Interface”sudo driftnet -i eth0Save Captured Images with Timestamp
Section titled “Save Captured Images with Timestamp”sudo driftnet -i eth0 -d ~/captured-imagesHeadless Capture (Server without Display)
Section titled “Headless Capture (Server without Display)”sudo driftnet -i eth0 -l -d /tmp/imagesCapture from Specific Network Adapter
Section titled “Capture from Specific Network Adapter”ip link show
# Output shows available interfaces
sudo driftnet -i eth0Monitor Multiple Interfaces
Section titled “Monitor Multiple Interfaces”# Run separate instances for each interface
sudo driftnet -i eth0 -d /tmp/eth0-images &
sudo driftnet -i eth1 -d /tmp/eth1-images &Filter Specific Traffic Types
Section titled “Filter Specific Traffic Types”sudo driftnet -i eth0 -x -m 100Network Protocols Captured
Section titled “Network Protocols Captured”Driftnet captures visual content from the following unencrypted protocols:
| Protocol | Content Type | Default Port |
|---|---|---|
| HTTP | Web images, embedded media | 80 |
| FTP | File transfers with images | 21 |
| SMTP | Email attachments | 25 |
| RTSP | Streaming video | 554 |
| MJPEG | Motion JPEG streams | 8080 |
| NNTP | Usenet images | 119 |
Use Cases & Scenarios
Section titled “Use Cases & Scenarios”Security Awareness Training
Section titled “Security Awareness Training”# Demonstrate risks of unencrypted connections
sudo driftnet -i eth0 -d /tmp/demo-images
# Show captured content to employeesNetwork Traffic Analysis
Section titled “Network Traffic Analysis”# Monitor suspicious network activity
sudo driftnet -i eth0 -v
# Analyze what content is being transmittedPenetration Testing
Section titled “Penetration Testing”# Identify unencrypted media transmission
sudo driftnet -i eth0 -l -d /tmp/pentest-resultsResearch & Development
Section titled “Research & Development”# Study network traffic patterns
sudo driftnet -i eth0 -m 1000 -d /tmp/researchAdvanced Techniques
Section titled “Advanced Techniques”Capture with tcpdump Integration
Section titled “Capture with tcpdump Integration”# Use tcpdump for more granular packet capture
sudo tcpdump -i eth0 -w packets.pcap
sudo driftnet -f packets.pcapFilter by VLAN
Section titled “Filter by VLAN”# Capture only VLAN traffic
sudo driftnet -i eth0.100 -d /tmp/vlan-imagesMonitor Specific Subnet
Section titled “Monitor Specific Subnet”# Use with arp-scan to identify subnet
sudo arp-scan -l
sudo driftnet -i eth0 -d /tmp/subnet-imagesReal-time Processing
Section titled “Real-time Processing”# Capture and immediately process images
sudo driftnet -i eth0 -x
# Images display in real-time windowTroubleshooting
Section titled “Troubleshooting”Permission Denied
Section titled “Permission Denied”# Driftnet requires root/sudo access
sudo driftnet -i eth0Interface Not Found
Section titled “Interface Not Found”# List available network interfaces
ip link show
# or
ifconfigNo Images Captured
Section titled “No Images Captured”# Verify traffic is flowing
sudo tcpdump -i eth0 -c 10
# Check for HTTPS traffic (encrypted, won't be captured)Output Directory Issues
Section titled “Output Directory Issues”# Ensure directory exists and is writable
mkdir -p ~/driftnet-output
sudo driftnet -i eth0 -d ~/driftnet-output
# May need to change ownership after capture
sudo chown -R $USER ~/driftnet-outputSecurity & Ethical Considerations
Section titled “Security & Ethical Considerations”Legal Implications
Section titled “Legal Implications”- Require authorization before monitoring network traffic
- Comply with local privacy laws and regulations
- Inform network users about monitoring policies
- Document legal basis for network captures
Responsible Use
Section titled “Responsible Use”# Only capture on networks you own or have permission to monitor
# Protect captured images containing sensitive information
# Store results securely with restricted access
sudo driftnet -i eth0 -d /tmp/images
# Encrypt sensitive captures
tar czf images.tar.gz /tmp/images
gpg -c images.tar.gzPrivacy Protection
Section titled “Privacy Protection”- Never share captured content without consent
- Delete captures after analysis period
- Implement access controls on captured data
- Use VPN/HTTPS to protect personal traffic
Performance Considerations
Section titled “Performance Considerations”Memory Usage
Section titled “Memory Usage”# Monitor memory consumption
free -h
# Driftnet uses minimal memory per captured imageCPU Impact
Section titled “CPU Impact”# Check CPU usage during capture
top -p $(pgrep driftnet)
# Usually low overhead for real-time captureDisk Space Requirements
Section titled “Disk Space Requirements”# Estimate storage needed
# Average image: 50-200 KB
# Plan accordingly: sudo driftnet -i eth0 -d /data/imagesComparison with Similar Tools
Section titled “Comparison with Similar Tools”| Tool | Purpose | Capture Type |
|---|---|---|
| Driftnet | Visual content capture | Real-time images |
| tcpdump | Packet capture | Raw packets |
| Wireshark | Network analysis | Detailed packets |
| URLsnarf | URL extraction | Text URLs |
| Ettercap | MITM attacks | Full traffic |
Integration with Other Tools
Section titled “Integration with Other Tools”Combine with tcpdump
Section titled “Combine with tcpdump”# Capture packets and extract images
sudo tcpdump -i eth0 -w capture.pcap
# Later analyze with driftnet
driftnet -f capture.pcap -d /tmp/imagesUse in Monitoring Scripts
Section titled “Use in Monitoring Scripts”#!/bin/bash
# Automated network monitoring
INTERFACE="eth0"
OUTPUT_DIR="/var/log/driftnet"
mkdir -p $OUTPUT_DIR
sudo driftnet -i $INTERFACE -d $OUTPUT_DIR -lSummary
Section titled “Summary”Driftnet is a powerful tool for demonstrating network security risks and understanding what content travels unencrypted across networks. Its real-time capture capabilities make it valuable for security training, threat detection, and network analysis. Always use ethically and legally within authorized network environments.