Sniffing & Spoofingnetworktrafficimagescapturesniffingpcapgtk

Driftnet

Driftnet captures and displays images from network traffic by listening to TCP streams. It is particularly useful on hosts with high web traffic volumes.

Description

Driftnet is a tool inspired by EtherPEG that monitors network traffic and extracts images from observed TCP streams, displaying them in an X window. It can also optionally capture and play audio streams. The program is designed for environments with significant web traffic, making it interesting for passive network observation.

Use cases include running it on shared or unswitched networks to visualize images being transferred, though it blatantly invades privacy and is cautioned against for users with certain sensibilities. Images can be saved to the current directory by clicking on them in the display.

An adjunct mode allows integration with other programs, where driftnet silently manages image collection in a temporary directory, dropping excess images if a limit is set. Filter codes similar to tcpdump can refine the traffic monitored.

How It Works

Driftnet listens on network interfaces or reads from pcap dump files to inspect TCP streams, extracting embedded images and optionally audio. It displays captures in a GTK-based X window and supports tcpdump-style filters prefixed with 'tcp and'. In adjunct mode, it limits images in a temporary directory for external collection processes.

Installation

bash
sudo apt install driftnet

Flags

-hDisplay this help message.
-vVerbose operation.
-bBeep when a new image is captured.
-i interfaceSelect the interface on which to listen (default: all interfaces).
-f fileInstead of listening on an interface, read captured packets from a pcap dump file; file can be a named pipe for use with Kismet or similar.

Examples

Display the help message and usage synopsis.
driftnet -h
Capture images from all interfaces and display them in an X window.
driftnet
Listen only on the eth0 interface for image traffic.
driftnet -i eth0
Read captured packets from a pcap dump file instead of live interface.
driftnet -f capture.pcap
Filter traffic to TCP port 80 after the default 'tcp and' prefix.
driftnet 'port 80'
Run in verbose mode and beep on new image captures.
driftnet -v -b
Read from a named pipe for integration with tools like Kismet.
driftnet -f /tmp/kismet.pipe
Updated 2026-04-16kali.org ↗