driftnet

-a
    Monitor all TCP protocols, not just HTTP on port 80

-f filter
    Apply BPF packet filter expression (e.g., 'port 8080')

-i interface
    Listen on specific network interface (default: all)

-h
    Display help summary and exit

-V
    Print version information and exit

directory
    Save images to directory instead of displaying (creates if needed)

Driftnet is a lightweight network monitoring tool that passively captures TCP traffic on a network interface and extracts embedded images, primarily JPEG and PNG files from HTTP streams. It displays these images in real-time within an X11 window, providing a visual representation of image downloads occurring on the monitored network.

Designed for network administrators, security researchers, and forensic analysts, driftnet helps identify unsecured image transfers, demonstrate the risks of unencrypted HTTP, or monitor for specific visual content. It uses libpcap for packet capture and applies basic heuristics to reconstruct images from fragmented TCP streams without interfering with traffic.

By default, it filters for HTTP traffic destined for port 80, but options allow broader monitoring. Images are shown with metadata like source IP and timestamp. Ethical use is crucial, as it requires root privileges and promiscuous mode, raising privacy concerns on shared networks.

Though dated, it remains useful for educational demos or low-bandwidth environments where full protocol analyzers like Wireshark are overkill. (248 words)

Requires root privileges for promiscuous mode; ethically sensitive—avoid on networks without authorization; ignores non-image data; limited to basic image reconstruction; potential false positives on fragmented packets.
May not work well on high-traffic networks due to CPU load.

Shows reconstructed images in X11 window with source IP, port, and timestamp overlays. Filters for JPEG/PNG magic bytes; handles basic gzip but skips complex encodings.

Needs libpcap and X11 libraries. Install via apt: apt install driftnet on Debian-based systems.

Developed by Adam Laurie (a_laurie@hotmail.com) in 2001 as a proof-of-concept for passive image extraction. Released under GPL; last major update around 2004. Popular in early 2000s for demonstrating HTTP insecurity; still maintained sporadically on GitHub forks.

tcpdump(1), wireshark(1), ngrep(1), ettercap(8)