See what images are being viewed on your network with driftnet
I want to preface this article by saying I am not, in any way advocating spying on your users. With that said, there are times (and reasons) why you might need to see what images are being viewed on your network. Whether it be an end user who is viewing content that goes against specific company policies or, worse, against the law. When this happens, you might have need or cause to see just what is being viewed from your LAN. When this is the case there is a handy tool for that called Driftnet.
Driftnet was inspired by the old Apple program EtherPEG and works by watching TCP streams for images and MPEG audio streams. As it listens it dumps the images into a user configured directory and/or it can display the images within a window as they are captured. In this article I will show you how to install and use Driftnet.
Installation
You will fortunately find Driftnet in the standard repositories for both Ubuntu and Fedora, so the installation is simple. Since you will be running Driftnet from command line, let's install the same way.
To install Driftnet in Ubuntu, follow these steps:
- Open up a terminal window.
- Issue the command
sudo apt-get install driftnet
. - Type your sudo password and hit Enter.
- Accept any dependencies necessary.
- Watch the installation complete.
- Keep the terminal window open for usage.
To install in Fedora, follow these steps:
- Open up a terminal window.
- Su to the root user.
- Type the root user password and hit Enter.
- Issue the command
yum install driftnet
. - Accept any dependencies necessary.
- Watch the installation complete.
- Keep the terminal window open for further usage.
You are now ready to begin using driftnet.
Usage
Driftnet needs to have administrative rights to run. So you will either be running this as root or using sudo (depending upon your distribution). The basic usage of Driftnet is:
driftnet OPTIONS
The common options you will use are:
- -i This determines the interface you want to specific. If none is specified it will assume "all".
- -d This dictates the directory you want images to be saved into.
- -x The prefix you want to prepend  to the images collected. This is handy when you need to add a date to all images collected.
- -a This will run Driftnet in adjunct mode where no image window is displayed (images are only collected in the defined directory).
Before you start using Driftnet, you need to create a directory that will collect the images. I just create a directory called ~/DRIFT for my image collection. Once you have that directory created you can fire up Driftnet like so:
sudo driftnet -d ~/DRIFT
When you issue this command Drifnet will open up a window (see Figure 1) and start collecting images. As you can see, in Figure 1, I have googled "ubuntu wallpaper" and Drifnet captured those images. The application happens very quickly and as soon as you kill the Driftnet command the images will be wiped away.
A word of warning
Driftnet can consume a lot of your system resources. This is especially true when not running in adjunct mode.
Final thoughts
It's a slippery slope and can be considered an invasion of privacy. But when you need to see if an end user is viewing images that go against company policy, Driftnet will help you do so.
i know this is old and will never be read but mr obvious that is incorrect due to the fact that on a *wifi* network you can see packets meant for other devices and therefore very easily quietly sniff away at the images there
use the -i command to get rid of the error
Of course, a simple network switch renders driftnet useless, unless you can find a span port, you’re networking in 1992, all of your internet users are users on your box, or your box is a firewall/router.
Ettercap or some DNS trickery combined with a transparent squid setup will give you something more effective.
Sounds cool, but I get: driftnet: pcap_compile: syntax error