Driftnet command tutorial and examples

Sniffing consists of intercepting packets through a network to get their content. When we share a network, intercepting the traffic going through it is pretty easy with a sniffer, that’s why protocol encryption such as https is so important, when traffic is unencrypted even credentials go in plain text and can be intercepted by attackers.

This tutorial focuses on intercepting media, specifically images using the Driftnet sniffer, as you will see it will be only possible to capture images going through unencrypted protocols like http rather than https, and even unprotected images within sites protected with SSL (insecure elements).

The first part shows how to work with Driftnet and Ettercap and the second part combines Driftnet with ArpSpoof.

Using  Driftnet to capture images with Ettercap:

Ettercap is a suite of tools useful to carry out MiM (Man in the Middle) attacks with support for active and passive dissection of protocols, it supports plugins to add features and works by setting the interface in promiscuous mode and arp poisoning.

To begin, on Debian and based Linux distributions run the following command to install

# apt install ettercap-graphical -y

Now install Wireshark by running:

# apt install wireshark -y

During the installation process Wireshark will ask if non root users are able to capture packets, take your decision and press ENTER to continue.

Finally to install Driftnet using apt run:

# apt install driftnet -y

Once all software is installed, to prevent interrupting the target connection you need to enable IP forwarding by running the following command:

# cat /proc/sys/net/ipv4/ip_forward
# ettercap -Tqi enp2s0 -M arp:remote ////
# echo “1”> /proc/sys/net/ipv4/ip_forward

Check the ip forwarding was properly enabled by executing:

Ettercap will start scanning all hosts

While Ettercap scans the network run driftnet using the -i flag to specify the interface as in the following example:

# driftnet -i enp2s0

Driftnet will open a black window in which images will appear:

If images aren’t displayed even when you access from other devices images through unencrypted protocols test if IP forwarding is properly enabled again and then launch driftnet:

Driftnet will start showing images:

By default, intercepted images are saved inside the /tmp directory with the prefix “drifnet”. By adding the flag -d you can specify a destination directory, in the following example I save the results inside the directory called linuxhinttmp:

# driftnet -d linuxhinttmp -i enp2s0

You can check inside the directory and you will find the results:

Using Driftnet to capture images with ArpSpoofing:

ArpSpoof is a tool included in the Dsniff tools. The Dsniff suite includes tools for network analysis, packets capture and specific attacks against specified services, the entire suite includes:arpspoof,dnsspoof, tcpkill, filesnarf, mailsnarf, tcpnice, urlsnarf, webspy, sshmitm, msgsnarf, macof, etc.

While in the previous example captured images belonged to random targets in the current example I will attack the device with IP In this case the process combines an ARP attack forging the real gateway address making the victim to believe we are the gateway; this is another classical example of a “Man In the Middle Attack”.

To begin, on Debian or based Linux distributions install the Dsniff packet through apt by running:

# apt install dsniff -y

Enable IP forwarding by executing:

# echo1> /proc/sys/net/ipv4/ip_forward

Run ArpSpoof defining the interface using the flag -i, define the gateway and target followed by the -t flag:

# sudo arpspoof -i wlp3s0 -t

Now launch Driftnet by running:

# driftnet -i wlp3s0

How to get protected against sniffing attacks

Intercepting traffic is pretty easy with any sniffing program, any user without knowledge and with detailed instructions like the found in this tutorial can carry out an attack intercepting private information.

While capturing traffic is easy, it is to encrypt it too so when captured it remains unreadable for the attacker. The proper way to prevent such attacks is keeping safe protocols like HTTP, SSH, SFTP and refuse to work through unsecure protocols unless you are within a VPN or sae protocol with endpoint authentication to prevent addresses forgery.

Configurations must be done properly as with software like Driftnet you are still able to steal media from SSL protected sites if the specific element goes through an insecure protocol.

Complex organizations or individuals in need of security assurance can rely on Intrusion Detection Systems with capability to analyze packets detecting anomalies.


All software listed in this tutorial is included by default in Kali Linux, the main hacking Linux distribution and in Debian and derived repositories. Carrying out a sniffing attack targeting media like the attacks shown above is really easy and takes minutes. The main obstacle is, its only useful through unencrypted protocols which aren’t widely used anymore. Both Ettercap and the Dsniff suite which contains Arpspoof contain a lot of additional features and uses which were not explained in this tutorial and deserve your attention, the range of applications range  from sniffing images to complex attacks involving authentication and credentials like Ettercap when sniffing credentials for services such as  TELNET, FTP, POP, IMAP, rlogin, SSH1, SMB, MySQL, HTTP, NNTP, X11, IRC, RIP, BGP, SOCKS 5, IMAP 4, VNC, LDAP, NFS, SNMP, MSN, YMSG or Monkey in the MIddle of dSniff (https://linux.die.net/man/8/sshmitm).

I hope you found this tutorial on Driftnet command tutorial and examples useful.

Sandclock IDC thành lập vào năm 2012, là công ty chuyên nghiệp tại Việt Nam trong lĩnh vực cung cấp dịch vụ Hosting, VPS, máy chủ vật lý, dịch vụ Firewall Anti DDoS, SSL… Với 10 năm xây dựng và phát triển, ứng dụng nhiều công nghệ hiện đại, Sandclock IDC đã giúp hàng ngàn khách hàng tin tưởng lựa chọn, mang lại sự ổn định tuyệt đối cho website của khách hàng để thúc đẩy việc kinh doanh đạt được hiệu quả và thành công.
Bài viết liên quan

Password Safe 3.42.1 released- A Simple and Secure Password Management App

Password Safe 3.42.1 recently released, is an open source, free simple and secure password management app. You can create...

Top 10 Ethical Hacking Books

Hacking is an ongoing process of information gathering and exploitation of any target. The hackers are consistent, practical...

How to check for open ports on Linux

Checking for open ports is among the first steps to secure your device. Listening services may be the entrance for attackers...
Bài Viết

Bài Viết Mới Cập Nhật

Hướng dẫn chuyển đổi windows server windows evaluation to standard và active windows server 2008 + 2012 + 2016 + 2019

How to Update Ubuntu Linux

Squid Proxy Manager cài đặt và quản lý Proxy Squid tự động trên ubuntu

Hướng dẫn cài đặt Apache CloudStack

Hướng dẫn ký file PDF bằng chữ ký số (chữ ký điện tử) và sửa lỗi mới nhất 2021 foxit reader