See what images are being viewed on your network with driftnet - gHacks Tech News

See what images are being viewed on your network with driftnet

I want to preface this article by saying I am not, in any way advocating spying on your users. With that said, there are times (and reasons) why you might need to see what images are being viewed on your network. Whether it be an end user who is viewing content that goes against specific company policies or, worse, against the law. When this happens, you might have need or cause to see just what is being viewed from your LAN. When this is the case there is a handy tool for that called Driftnet.

Driftnet was inspired by the old Apple program EtherPEG and works by watching TCP streams for images and MPEG audio streams. As it listens I dumps the images into a user configured directory and/or it can display the images within a window as they are captured. In this article I will show you how to install and use Driftnet.


You will fortunately find Driftnet in the standard repositories for both Ubuntu and Fedora, so the installation is simple. Since you will be running Driftnet from command line, let's install the same way.

To install Driftnet in Ubuntu, follow these steps:

  1. Open up a terminal window.
  2. Issue the command sudo apt-get install driftnet.
  3. Type your sudo password and hit Enter.
  4. Accept any dependencies necessary.
  5. Watch the installation complete.
  6. Keep the terminal window open for usage.

To install in Fedora, follow these steps:

  1. Open up a terminal window.
  2. Su to the root user.
  3. Type the root user password and hit Enter.
  4. Issue the command yum install driftnet.
  5. Accept any dependencies necessary.
  6. Watch the installation complete.
  7. Keep the terminal window open for further usage.

You are now ready to begin using driftnet.


Driftnet needs to had administrative rights to run. So you will either be running this as root or using sudo (depending upon your distribution). The basic usage of Driftnet is:

driftnet OPTIONS

The common options you will use are:

  • -i This determines the interface you want to specific. If none is specified it will assume "all".
  • -d This dictates the directory you want images to be saved into.
  • -x The prefix you want to prepend  to the images collected. This is handy when you need to add a date to all images collected.
  • -a This will run Driftnet in adjunct mode where no image window is displayed (images are only collected in the defined directory).

Before you start using Driftnet, you need to create a directory that will collect the images. I just create a directory called ~/DRIFT for my image collection. Once you have that directory created you can fire up Driftnet like so:

sudo driftnet -d ~/DRIFT

Figure 1

When you issue this command Drifnet will open up a window (see Figure 1) and start collecting images. As you can see, in Figure 1, I have googled "ubuntu wallpaper" and Drifnet captured those images. The application happens very quickly and as soon as you kill the Driftnet command the images will be wiped away.

A word of warning

Driftnet can consume a lot of your system resources. This is especially true when not running in adjunct mode.

Final thoughts

It's a slippery slope and can be considered an invasion of privacy. But when you need to see if an end user is viewing images that go against company policy, Driftnet will help you do so.


We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Previous Post: «
Next Post: »


  1. Bill said on September 20, 2010 at 6:22 pm

    Sounds cool, but I get: driftnet: pcap_compile: syntax error

  2. Mr. Obvious said on September 21, 2010 at 3:27 am

    Of course, a simple network switch renders driftnet useless, unless you can find a span port, you’re networking in 1992, all of your internet users are users on your box, or your box is a firewall/router.

    Ettercap or some DNS trickery combined with a transparent squid setup will give you something more effective.

  3. Anonymous said on June 7, 2012 at 5:59 am

    use the -i command to get rid of the error

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.