Driftnet
Data
Documentation
Pricing

API Documentation

Getting StartedInternet ScansScan ContentOpen PortsDomain ScansForward DNSDNS MX & TXTReverse DNSIP RegistrationsDomain RegistrationsCertificate TransparencyJARM FingerprintsFavicon Fingerprints
Getting StartedInternet ScansScan ContentOpen PortsDomain ScansForward DNSDNS MX & TXTReverse DNSIP RegistrationsDomain RegistrationsCertificate TransparencyJARM FingerprintsFavicon Fingerprints

Scan Content

Overview

For HTTP responses, full retrieved bodies are available from the scan/protocols/body endpoint.

Enterprise users can also search HTTP bodies, via the same API endpoint.

Content retrieval

To retrieve a specific scan body, find the the item with type obj-sha1 in the return from a scan/protocols call. Take the value of this item, and the date on which it was seen, and then call:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/protocols/body?hash=9b523c5bbf7416334bd46f2d5463e6830a58d795&date=2019-05-13' \
  | jq -rc '.results[0].body' | base64 -d \
  | less -S
Example Response
<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">
<Typography component="h3" variant="h5">302 Moved</Typography></HEAD><BODY>
<H1>302 Moved</H1>
The document has moved
<A HREF="https://dns.google/en/">here</A>.
</BODY></HTML>

The result from the API is returned base64-encoded; the example assumes that you have the GNU base64 utility installed. On Mac, use base64 -D instead of base64 -d.

Content searches

Enterprise users can search for specific strings within the content:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/protocols/body?query=STUNNEL' \
  | jq . \
  | less -S
Example Response
{
  "page": 0,
  "pages": 15,
  "result_count": 1499,
  "results": [
    {
      "body": "PCFET0NUWVBFIGh0bWwgUFVCTElDICItLy9XM0Mv..."
      "hash": "9df069d39ed8f4d7487b79c44ef0ef87e7af9809"
    },
    ...

For technical reasons, content searches are limited to strings that occur outside HTML tags. This means that you cannot usually search for snippets of page javascript, etc. However! The Driftnet collection system does include an advanced regex-based collection time tagging system, which can be used to extract specific patterns from anywhere. If you have something interesting that you would like to look for, then just drop us a line and we'll likely add it.

The scan/protocols/body endpoint also supports the from= / to=, prefix= and slop= qualifiers. These work exactly as described in the Internet Scans section.

If you find something interesting in the body search, and you want to retrieve data on the IP/port pairs where it was found, you can perform a scan/protocols search for the extracted hash. For example, to find the STUNNEL results that we searched for above:

Example Request
curl -s -H 'Authorization: Bearer <your-api-token>' \
     'https://api.driftnet.io/v1/scan/protocols&keyword=obj-sha1:9df069d39ed8f4d7487b79c44ef0ef87e7af9809' \
  | jq . \
  | less -S