Driftnet
Driftnet is a network packet sniffing tool that captures images, audio, and video from network traffic in real-time. It passively listens to network traffic and extracts visual content transmitted over unencrypted protocols, making it valuable for security awareness and understanding the risks of unencrypted communications.
Installation
Sección titulada «Installation»Ubuntu/Debian
Sección titulada «Ubuntu/Debian»sudo apt-get update
sudo apt-get install driftnetFrom Source
Sección titulada «From Source»git clone https://github.com/deiv/driftnet.git
cd driftnet
./configure
make
sudo make installArch Linux
Sección titulada «Arch Linux»sudo pacman -S driftnetBasic Usage
Sección titulada «Basic Usage»Capture Images from Network Interface
Sección titulada «Capture Images from Network Interface»sudo driftnet -i eth0Capture and Save Images to Directory
Sección titulada «Capture and Save Images to Directory»sudo driftnet -i eth0 -d /path/to/output/directoryCapture from Specific Network Interface (Wireless)
Sección titulada «Capture from Specific Network Interface (Wireless)»sudo driftnet -i wlan0Use with Preconfigured Filter
Sección titulada «Use with Preconfigured Filter»sudo driftnet -i eth0 -xVerbose Output Mode
Sección titulada «Verbose Output Mode»sudo driftnet -i eth0 -vCommon Commands & Options
Sección titulada «Common Commands & Options»| Command | Description |
|---|---|
-i <interface> | Specify network interface to sniff (eth0, wlan0) |
-d <directory> | Save captured images to specified directory |
-x | Run in X11 mode with graphical display |
-v | Verbose output showing captured content info |
-m <number> | Maximum number of images to capture |
-n | Capture audio streams instead of images |
-p | Include PPP connections in capture |
-l | Listen-only mode (no X display) |
Practical Examples
Sección titulada «Practical Examples»Monitor All Traffic on Primary Interface
Sección titulada «Monitor All Traffic on Primary Interface»sudo driftnet -i eth0Save Captured Images with Timestamp
Sección titulada «Save Captured Images with Timestamp»sudo driftnet -i eth0 -d ~/captured-imagesHeadless Capture (Server without Display)
Sección titulada «Headless Capture (Server without Display)»sudo driftnet -i eth0 -l -d /tmp/imagesCapture from Specific Network Adapter
Sección titulada «Capture from Specific Network Adapter»ip link show
# Output shows available interfaces
sudo driftnet -i eth0Monitor Multiple Interfaces
Sección titulada «Monitor Multiple Interfaces»# Run separate instances for each interface
sudo driftnet -i eth0 -d /tmp/eth0-images &
sudo driftnet -i eth1 -d /tmp/eth1-images &Filter Specific Traffic Types
Sección titulada «Filter Specific Traffic Types»sudo driftnet -i eth0 -x -m 100Network Protocols Captured
Sección titulada «Network Protocols Captured»Driftnet captures visual content from the following unencrypted protocols:
| Protocol | Content Type | Default Port |
|---|---|---|
| HTTP | Web images, embedded media | 80 |
| FTP | File transfers with images | 21 |
| SMTP | Email attachments | 25 |
| RTSP | Streaming video | 554 |
| MJPEG | Motion JPEG streams | 8080 |
| NNTP | Usenet images | 119 |
Use Cases & Scenarios
Sección titulada «Use Cases & Scenarios»Security Awareness Training
Sección titulada «Security Awareness Training»# Demonstrate risks of unencrypted connections
sudo driftnet -i eth0 -d /tmp/demo-images
# Show captured content to employeesNetwork Traffic Analysis
Sección titulada «Network Traffic Analysis»# Monitor suspicious network activity
sudo driftnet -i eth0 -v
# Analyze what content is being transmittedPenetration Testing
Sección titulada «Penetration Testing»# Identify unencrypted media transmission
sudo driftnet -i eth0 -l -d /tmp/pentest-resultsResearch & Development
Sección titulada «Research & Development»# Study network traffic patterns
sudo driftnet -i eth0 -m 1000 -d /tmp/researchAdvanced Techniques
Sección titulada «Advanced Techniques»Capture with tcpdump Integration
Sección titulada «Capture with tcpdump Integration»# Use tcpdump for more granular packet capture
sudo tcpdump -i eth0 -w packets.pcap
sudo driftnet -f packets.pcapFilter by VLAN
Sección titulada «Filter by VLAN»# Capture only VLAN traffic
sudo driftnet -i eth0.100 -d /tmp/vlan-imagesMonitor Specific Subnet
Sección titulada «Monitor Specific Subnet»# Use with arp-scan to identify subnet
sudo arp-scan -l
sudo driftnet -i eth0 -d /tmp/subnet-imagesReal-time Processing
Sección titulada «Real-time Processing»# Capture and immediately process images
sudo driftnet -i eth0 -x
# Images display in real-time windowTroubleshooting
Sección titulada «Troubleshooting»Permission Denied
Sección titulada «Permission Denied»# Driftnet requires root/sudo access
sudo driftnet -i eth0Interface Not Found
Sección titulada «Interface Not Found»# List available network interfaces
ip link show
# or
ifconfigNo Images Captured
Sección titulada «No Images Captured»# Verify traffic is flowing
sudo tcpdump -i eth0 -c 10
# Check for HTTPS traffic (encrypted, won't be captured)Output Directory Issues
Sección titulada «Output Directory Issues»# Ensure directory exists and is writable
mkdir -p ~/driftnet-output
sudo driftnet -i eth0 -d ~/driftnet-output
# May need to change ownership after capture
sudo chown -R $USER ~/driftnet-outputSecurity & Ethical Considerations
Sección titulada «Security & Ethical Considerations»Legal Implications
Sección titulada «Legal Implications»- Require authorization before monitoring network traffic
- Comply with local privacy laws and regulations
- Inform network users about monitoring policies
- Document legal basis for network captures
Responsible Use
Sección titulada «Responsible Use»# Only capture on networks you own or have permission to monitor
# Protect captured images containing sensitive information
# Store results securely with restricted access
sudo driftnet -i eth0 -d /tmp/images
# Encrypt sensitive captures
tar czf images.tar.gz /tmp/images
gpg -c images.tar.gzPrivacy Protection
Sección titulada «Privacy Protection»- Never share captured content without consent
- Delete captures after analysis period
- Implement access controls on captured data
- Use VPN/HTTPS to protect personal traffic
Performance Considerations
Sección titulada «Performance Considerations»Memory Usage
Sección titulada «Memory Usage»# Monitor memory consumption
free -h
# Driftnet uses minimal memory per captured imageCPU Impact
Sección titulada «CPU Impact»# Check CPU usage during capture
top -p $(pgrep driftnet)
# Usually low overhead for real-time captureDisk Space Requirements
Sección titulada «Disk Space Requirements»# Estimate storage needed
# Average image: 50-200 KB
# Plan accordingly: sudo driftnet -i eth0 -d /data/imagesComparison with Similar Tools
Sección titulada «Comparison with Similar Tools»| Tool | Purpose | Capture Type |
|---|---|---|
| Driftnet | Visual content capture | Real-time images |
| tcpdump | Packet capture | Raw packets |
| Wireshark | Network analysis | Detailed packets |
| URLsnarf | URL extraction | Text URLs |
| Ettercap | MITM attacks | Full traffic |
Integration with Other Tools
Sección titulada «Integration with Other Tools»Combine with tcpdump
Sección titulada «Combine with tcpdump»# Capture packets and extract images
sudo tcpdump -i eth0 -w capture.pcap
# Later analyze with driftnet
driftnet -f capture.pcap -d /tmp/imagesUse in Monitoring Scripts
Sección titulada «Use in Monitoring Scripts»#!/bin/bash
# Automated network monitoring
INTERFACE="eth0"
OUTPUT_DIR="/var/log/driftnet"
mkdir -p $OUTPUT_DIR
sudo driftnet -i $INTERFACE -d $OUTPUT_DIR -lSummary
Sección titulada «Summary»Driftnet is a powerful tool for demonstrating network security risks and understanding what content travels unencrypted across networks. Its real-time capture capabilities make it valuable for security training, threat detection, and network analysis. Always use ethically and legally within authorized network environments.