Driftnet
Driftnet is a network packet sniffing tool that captures images, audio, and video from network traffic in real-time. It passively listens to network traffic and extracts visual content transmitted over unencrypted protocols, making it valuable for security awareness and understanding the risks of unencrypted communications.
Installation
Section intitulée « Installation »Ubuntu/Debian
Section intitulée « Ubuntu/Debian »sudo apt-get update
sudo apt-get install driftnetFrom Source
Section intitulée « From Source »git clone https://github.com/deiv/driftnet.git
cd driftnet
./configure
make
sudo make installArch Linux
Section intitulée « Arch Linux »sudo pacman -S driftnetBasic Usage
Section intitulée « Basic Usage »Capture Images from Network Interface
Section intitulée « Capture Images from Network Interface »sudo driftnet -i eth0Capture and Save Images to Directory
Section intitulée « Capture and Save Images to Directory »sudo driftnet -i eth0 -d /path/to/output/directoryCapture from Specific Network Interface (Wireless)
Section intitulée « Capture from Specific Network Interface (Wireless) »sudo driftnet -i wlan0Use with Preconfigured Filter
Section intitulée « Use with Preconfigured Filter »sudo driftnet -i eth0 -xVerbose Output Mode
Section intitulée « Verbose Output Mode »sudo driftnet -i eth0 -vCommon Commands & Options
Section intitulée « Common Commands & Options »| Command | Description |
|---|---|
-i <interface> | Specify network interface to sniff (eth0, wlan0) |
-d <directory> | Save captured images to specified directory |
-x | Run in X11 mode with graphical display |
-v | Verbose output showing captured content info |
-m <number> | Maximum number of images to capture |
-n | Capture audio streams instead of images |
-p | Include PPP connections in capture |
-l | Listen-only mode (no X display) |
Practical Examples
Section intitulée « Practical Examples »Monitor All Traffic on Primary Interface
Section intitulée « Monitor All Traffic on Primary Interface »sudo driftnet -i eth0Save Captured Images with Timestamp
Section intitulée « Save Captured Images with Timestamp »sudo driftnet -i eth0 -d ~/captured-imagesHeadless Capture (Server without Display)
Section intitulée « Headless Capture (Server without Display) »sudo driftnet -i eth0 -l -d /tmp/imagesCapture from Specific Network Adapter
Section intitulée « Capture from Specific Network Adapter »ip link show
# Output shows available interfaces
sudo driftnet -i eth0Monitor Multiple Interfaces
Section intitulée « Monitor Multiple Interfaces »# Run separate instances for each interface
sudo driftnet -i eth0 -d /tmp/eth0-images &
sudo driftnet -i eth1 -d /tmp/eth1-images &Filter Specific Traffic Types
Section intitulée « Filter Specific Traffic Types »sudo driftnet -i eth0 -x -m 100Network Protocols Captured
Section intitulée « Network Protocols Captured »Driftnet captures visual content from the following unencrypted protocols:
| Protocol | Content Type | Default Port |
|---|---|---|
| HTTP | Web images, embedded media | 80 |
| FTP | File transfers with images | 21 |
| SMTP | Email attachments | 25 |
| RTSP | Streaming video | 554 |
| MJPEG | Motion JPEG streams | 8080 |
| NNTP | Usenet images | 119 |
Use Cases & Scenarios
Section intitulée « Use Cases & Scenarios »Security Awareness Training
Section intitulée « Security Awareness Training »# Demonstrate risks of unencrypted connections
sudo driftnet -i eth0 -d /tmp/demo-images
# Show captured content to employeesNetwork Traffic Analysis
Section intitulée « Network Traffic Analysis »# Monitor suspicious network activity
sudo driftnet -i eth0 -v
# Analyze what content is being transmittedPenetration Testing
Section intitulée « Penetration Testing »# Identify unencrypted media transmission
sudo driftnet -i eth0 -l -d /tmp/pentest-resultsResearch & Development
Section intitulée « Research & Development »# Study network traffic patterns
sudo driftnet -i eth0 -m 1000 -d /tmp/researchAdvanced Techniques
Section intitulée « Advanced Techniques »Capture with tcpdump Integration
Section intitulée « Capture with tcpdump Integration »# Use tcpdump for more granular packet capture
sudo tcpdump -i eth0 -w packets.pcap
sudo driftnet -f packets.pcapFilter by VLAN
Section intitulée « Filter by VLAN »# Capture only VLAN traffic
sudo driftnet -i eth0.100 -d /tmp/vlan-imagesMonitor Specific Subnet
Section intitulée « Monitor Specific Subnet »# Use with arp-scan to identify subnet
sudo arp-scan -l
sudo driftnet -i eth0 -d /tmp/subnet-imagesReal-time Processing
Section intitulée « Real-time Processing »# Capture and immediately process images
sudo driftnet -i eth0 -x
# Images display in real-time windowTroubleshooting
Section intitulée « Troubleshooting »Permission Denied
Section intitulée « Permission Denied »# Driftnet requires root/sudo access
sudo driftnet -i eth0Interface Not Found
Section intitulée « Interface Not Found »# List available network interfaces
ip link show
# or
ifconfigNo Images Captured
Section intitulée « No Images Captured »# Verify traffic is flowing
sudo tcpdump -i eth0 -c 10
# Check for HTTPS traffic (encrypted, won't be captured)Output Directory Issues
Section intitulée « Output Directory Issues »# Ensure directory exists and is writable
mkdir -p ~/driftnet-output
sudo driftnet -i eth0 -d ~/driftnet-output
# May need to change ownership after capture
sudo chown -R $USER ~/driftnet-outputSecurity & Ethical Considerations
Section intitulée « Security & Ethical Considerations »Legal Implications
Section intitulée « Legal Implications »- Require authorization before monitoring network traffic
- Comply with local privacy laws and regulations
- Inform network users about monitoring policies
- Document legal basis for network captures
Responsible Use
Section intitulée « Responsible Use »# Only capture on networks you own or have permission to monitor
# Protect captured images containing sensitive information
# Store results securely with restricted access
sudo driftnet -i eth0 -d /tmp/images
# Encrypt sensitive captures
tar czf images.tar.gz /tmp/images
gpg -c images.tar.gzPrivacy Protection
Section intitulée « Privacy Protection »- Never share captured content without consent
- Delete captures after analysis period
- Implement access controls on captured data
- Use VPN/HTTPS to protect personal traffic
Performance Considerations
Section intitulée « Performance Considerations »Memory Usage
Section intitulée « Memory Usage »# Monitor memory consumption
free -h
# Driftnet uses minimal memory per captured imageCPU Impact
Section intitulée « CPU Impact »# Check CPU usage during capture
top -p $(pgrep driftnet)
# Usually low overhead for real-time captureDisk Space Requirements
Section intitulée « Disk Space Requirements »# Estimate storage needed
# Average image: 50-200 KB
# Plan accordingly: sudo driftnet -i eth0 -d /data/imagesComparison with Similar Tools
Section intitulée « Comparison with Similar Tools »| Tool | Purpose | Capture Type |
|---|---|---|
| Driftnet | Visual content capture | Real-time images |
| tcpdump | Packet capture | Raw packets |
| Wireshark | Network analysis | Detailed packets |
| URLsnarf | URL extraction | Text URLs |
| Ettercap | MITM attacks | Full traffic |
Integration with Other Tools
Section intitulée « Integration with Other Tools »Combine with tcpdump
Section intitulée « Combine with tcpdump »# Capture packets and extract images
sudo tcpdump -i eth0 -w capture.pcap
# Later analyze with driftnet
driftnet -f capture.pcap -d /tmp/imagesUse in Monitoring Scripts
Section intitulée « Use in Monitoring Scripts »#!/bin/bash
# Automated network monitoring
INTERFACE="eth0"
OUTPUT_DIR="/var/log/driftnet"
mkdir -p $OUTPUT_DIR
sudo driftnet -i $INTERFACE -d $OUTPUT_DIR -lDriftnet is a powerful tool for demonstrating network security risks and understanding what content travels unencrypted across networks. Its real-time capture capabilities make it valuable for security training, threat detection, and network analysis. Always use ethically and legally within authorized network environments.