Driftnet
Driftnet is a network packet sniffing tool that captures images, audio, and video from network traffic in real-time. It passively listens to network traffic and extracts visual content transmitted over unencrypted protocols, making it valuable for security awareness and understanding the risks of unencrypted communications.
Installation
Abschnitt betitelt „Installation“Ubuntu/Debian
Abschnitt betitelt „Ubuntu/Debian“sudo apt-get update
sudo apt-get install driftnetFrom Source
Abschnitt betitelt „From Source“git clone https://github.com/deiv/driftnet.git
cd driftnet
./configure
make
sudo make installArch Linux
Abschnitt betitelt „Arch Linux“sudo pacman -S driftnetBasic Usage
Abschnitt betitelt „Basic Usage“Capture Images from Network Interface
Abschnitt betitelt „Capture Images from Network Interface“sudo driftnet -i eth0Capture and Save Images to Directory
Abschnitt betitelt „Capture and Save Images to Directory“sudo driftnet -i eth0 -d /path/to/output/directoryCapture from Specific Network Interface (Wireless)
Abschnitt betitelt „Capture from Specific Network Interface (Wireless)“sudo driftnet -i wlan0Use with Preconfigured Filter
Abschnitt betitelt „Use with Preconfigured Filter“sudo driftnet -i eth0 -xVerbose Output Mode
Abschnitt betitelt „Verbose Output Mode“sudo driftnet -i eth0 -vCommon Commands & Options
Abschnitt betitelt „Common Commands & Options“| Command | Description |
|---|---|
-i <interface> | Specify network interface to sniff (eth0, wlan0) |
-d <directory> | Save captured images to specified directory |
-x | Run in X11 mode with graphical display |
-v | Verbose output showing captured content info |
-m <number> | Maximum number of images to capture |
-n | Capture audio streams instead of images |
-p | Include PPP connections in capture |
-l | Listen-only mode (no X display) |
Practical Examples
Abschnitt betitelt „Practical Examples“Monitor All Traffic on Primary Interface
Abschnitt betitelt „Monitor All Traffic on Primary Interface“sudo driftnet -i eth0Save Captured Images with Timestamp
Abschnitt betitelt „Save Captured Images with Timestamp“sudo driftnet -i eth0 -d ~/captured-imagesHeadless Capture (Server without Display)
Abschnitt betitelt „Headless Capture (Server without Display)“sudo driftnet -i eth0 -l -d /tmp/imagesCapture from Specific Network Adapter
Abschnitt betitelt „Capture from Specific Network Adapter“ip link show
# Output shows available interfaces
sudo driftnet -i eth0Monitor Multiple Interfaces
Abschnitt betitelt „Monitor Multiple Interfaces“# Run separate instances for each interface
sudo driftnet -i eth0 -d /tmp/eth0-images &
sudo driftnet -i eth1 -d /tmp/eth1-images &Filter Specific Traffic Types
Abschnitt betitelt „Filter Specific Traffic Types“sudo driftnet -i eth0 -x -m 100Network Protocols Captured
Abschnitt betitelt „Network Protocols Captured“Driftnet captures visual content from the following unencrypted protocols:
| Protocol | Content Type | Default Port |
|---|---|---|
| HTTP | Web images, embedded media | 80 |
| FTP | File transfers with images | 21 |
| SMTP | Email attachments | 25 |
| RTSP | Streaming video | 554 |
| MJPEG | Motion JPEG streams | 8080 |
| NNTP | Usenet images | 119 |
Use Cases & Scenarios
Abschnitt betitelt „Use Cases & Scenarios“Security Awareness Training
Abschnitt betitelt „Security Awareness Training“# Demonstrate risks of unencrypted connections
sudo driftnet -i eth0 -d /tmp/demo-images
# Show captured content to employeesNetwork Traffic Analysis
Abschnitt betitelt „Network Traffic Analysis“# Monitor suspicious network activity
sudo driftnet -i eth0 -v
# Analyze what content is being transmittedPenetration Testing
Abschnitt betitelt „Penetration Testing“# Identify unencrypted media transmission
sudo driftnet -i eth0 -l -d /tmp/pentest-resultsResearch & Development
Abschnitt betitelt „Research & Development“# Study network traffic patterns
sudo driftnet -i eth0 -m 1000 -d /tmp/researchAdvanced Techniques
Abschnitt betitelt „Advanced Techniques“Capture with tcpdump Integration
Abschnitt betitelt „Capture with tcpdump Integration“# Use tcpdump for more granular packet capture
sudo tcpdump -i eth0 -w packets.pcap
sudo driftnet -f packets.pcapFilter by VLAN
Abschnitt betitelt „Filter by VLAN“# Capture only VLAN traffic
sudo driftnet -i eth0.100 -d /tmp/vlan-imagesMonitor Specific Subnet
Abschnitt betitelt „Monitor Specific Subnet“# Use with arp-scan to identify subnet
sudo arp-scan -l
sudo driftnet -i eth0 -d /tmp/subnet-imagesReal-time Processing
Abschnitt betitelt „Real-time Processing“# Capture and immediately process images
sudo driftnet -i eth0 -x
# Images display in real-time windowTroubleshooting
Abschnitt betitelt „Troubleshooting“Permission Denied
Abschnitt betitelt „Permission Denied“# Driftnet requires root/sudo access
sudo driftnet -i eth0Interface Not Found
Abschnitt betitelt „Interface Not Found“# List available network interfaces
ip link show
# or
ifconfigNo Images Captured
Abschnitt betitelt „No Images Captured“# Verify traffic is flowing
sudo tcpdump -i eth0 -c 10
# Check for HTTPS traffic (encrypted, won't be captured)Output Directory Issues
Abschnitt betitelt „Output Directory Issues“# Ensure directory exists and is writable
mkdir -p ~/driftnet-output
sudo driftnet -i eth0 -d ~/driftnet-output
# May need to change ownership after capture
sudo chown -R $USER ~/driftnet-outputSecurity & Ethical Considerations
Abschnitt betitelt „Security & Ethical Considerations“Legal Implications
Abschnitt betitelt „Legal Implications“- Require authorization before monitoring network traffic
- Comply with local privacy laws and regulations
- Inform network users about monitoring policies
- Document legal basis for network captures
Responsible Use
Abschnitt betitelt „Responsible Use“# Only capture on networks you own or have permission to monitor
# Protect captured images containing sensitive information
# Store results securely with restricted access
sudo driftnet -i eth0 -d /tmp/images
# Encrypt sensitive captures
tar czf images.tar.gz /tmp/images
gpg -c images.tar.gzPrivacy Protection
Abschnitt betitelt „Privacy Protection“- Never share captured content without consent
- Delete captures after analysis period
- Implement access controls on captured data
- Use VPN/HTTPS to protect personal traffic
Performance Considerations
Abschnitt betitelt „Performance Considerations“Memory Usage
Abschnitt betitelt „Memory Usage“# Monitor memory consumption
free -h
# Driftnet uses minimal memory per captured imageCPU Impact
Abschnitt betitelt „CPU Impact“# Check CPU usage during capture
top -p $(pgrep driftnet)
# Usually low overhead for real-time captureDisk Space Requirements
Abschnitt betitelt „Disk Space Requirements“# Estimate storage needed
# Average image: 50-200 KB
# Plan accordingly: sudo driftnet -i eth0 -d /data/imagesComparison with Similar Tools
Abschnitt betitelt „Comparison with Similar Tools“| Tool | Purpose | Capture Type |
|---|---|---|
| Driftnet | Visual content capture | Real-time images |
| tcpdump | Packet capture | Raw packets |
| Wireshark | Network analysis | Detailed packets |
| URLsnarf | URL extraction | Text URLs |
| Ettercap | MITM attacks | Full traffic |
Integration with Other Tools
Abschnitt betitelt „Integration with Other Tools“Combine with tcpdump
Abschnitt betitelt „Combine with tcpdump“# Capture packets and extract images
sudo tcpdump -i eth0 -w capture.pcap
# Later analyze with driftnet
driftnet -f capture.pcap -d /tmp/imagesUse in Monitoring Scripts
Abschnitt betitelt „Use in Monitoring Scripts“#!/bin/bash
# Automated network monitoring
INTERFACE="eth0"
OUTPUT_DIR="/var/log/driftnet"
mkdir -p $OUTPUT_DIR
sudo driftnet -i $INTERFACE -d $OUTPUT_DIR -lSummary
Abschnitt betitelt „Summary“Driftnet is a powerful tool for demonstrating network security risks and understanding what content travels unencrypted across networks. Its real-time capture capabilities make it valuable for security training, threat detection, and network analysis. Always use ethically and legally within authorized network environments.