driftnet

driftnet [options] [filter expression]

-i
    Specifies the network interface to listen on (e.g., eth0, wlan0). This option is usually mandatory for capturing traffic.

-a
    Attempt to render all images, even those with MIME types that are not recognized by driftnet.

-b
    Do not fork into the background. Useful for debugging or when running driftnet as part of a script.

-h
    Display a help message outlining command usage and options, then exit.

-p
    Do not put the network interface into promiscuous mode. This means driftnet will only see packets destined for its own host, which might limit its effectiveness on switched networks.

-s
    Save detected images into the specified directory rather than displaying them in a graphical window.

-m
    Monitor for MPEG audio streams and attempt to play them.

-u
    Do not update the displayed image if it's already being shown. This prevents redundant display of the same image.

-v
    Enable verbose output; driftnet will print more information about the packets it processes.


    A pcap-compatible filter expression (e.g., 'tcp port 80') to narrow down the captured traffic, focusing only on relevant packets.

driftnet is a command-line tool for passively observing network traffic. It sniffs TCP streams, specifically looking for and extracting common image formats (like JPEG, GIF, PNG) and sometimes audio files. Once detected, these media files are either displayed in a dedicated graphical window or saved to a specified directory. It operates by capturing raw packets using the libpcap library and then intelligently reassembling the TCP streams to identify and reconstruct the embedded media content.

While often employed for entertainment or to highlight network security vulnerabilities (e.g., unencrypted HTTP traffic), driftnet serves as a powerful illustration of privacy risks on unencrypted networks, especially public Wi-Fi. It's a 'listen-only' tool and does not inject or alter network traffic. Its effectiveness largely depends on the type of unencrypted traffic traversing the network segment it's monitoring and the network topology (e.g., shared medium vs. switched network). This tool remains a classic example of passive network sniffing.

Root Privileges: driftnet typically requires root privileges to put the network interface into promiscuous mode and capture raw packets.

Privacy & Legality: Using driftnet on networks you do not own or have explicit permission to monitor can be illegal and unethical. It exposes unencrypted data and can lead to severe privacy breaches.

Performance: On busy networks, driftnet can consume significant CPU and memory resources, especially when saving many images to disk.

Limited Scope: driftnet can only process unencrypted traffic (e.g., HTTP, FTP). It cannot decrypt or display content from encrypted protocols like HTTPS, SSH, or VPN tunnels.

Network Topology: It is most effective on shared network mediums (like older Wi-Fi or hubs). On modern switched networks, it might only see traffic directed to or from the host, unless advanced techniques like ARP spoofing or port mirroring are employed (which driftnet itself does not perform).

When not using the -s option, driftnet opens a dedicated graphical window to display captured images. This means it requires an X server environment to function correctly. If run in a console-only environment (e.g., via SSH without X forwarding), it will fail to display images unless directed to save them.

Users can apply powerful tcpdump-style filter expressions to narrow down the traffic sniffed. For example, 'port 80' will limit capturing to HTTP traffic only, which can significantly reduce noise and improve performance on busy networks by focusing on specific protocols or hosts.

driftnet was created by Ethan "ewhac" Bradford. It emerged during a period when a significant portion of internet traffic, particularly on public Wi-Fi hotspots, was unencrypted. This made driftnet a stark and immediate demonstration of how easily sensitive data, such as images browsed on a website, could be intercepted on a shared network. Its development prioritized simplicity and direct visual feedback, making it an impactful educational tool for illustrating fundamental network security and privacy issues. While its development is no longer actively maintained, its core functionality remains a classic example of passive network sniffing and a reminder of the importance of encryption.

tcpdump(1), wireshark(1), ettercap(8), ngrep(1)