Jump to content

Capturing Videos Using Wireshark

hackmeifyoucan

By hackmeifyoucan
in Hacks & Mods

 Share

Recommended Posts

hackmeifyoucan Newbie

hackmeifyoucan

Posted
Posted

Hi,

I just found an interesting video at the bbc's news page. Since the vid will probably be gone soon, I was wondering if it could be downloaded. Of course there was no download option and I couldn't just copy it from the firefox cache. I could not use one of the standard video download tools with firefox either.

That got me thinking if it was possible to do it with wireshark. I did a google search and that: http://www.kuro5hin.org/story/2008/1/1/211742/0546 (that's from 2008!!)

So does anyone know how to do it?

Cheers

hackmeifyoucan

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Its possible but depends on how its delivered. Much easier, if you can just parse the pcap and look for signs of the hard file, such as ending in .mp4, .flv, etc. Some videos won't even have extensions but will still have a link, possibly ending in just a hash string after the urls trailing /

If its an rtsp stream, you need some form of stream recorder that can recognize the streamed format.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

If it's a flash video, just download flashgot an extension for FireFox that will download the vid for you.

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

For the quick way, use one of the methods posted above, but if you are like me and like sifting through packets, then open wireshark and start searching. Generally, I close all other apps and browser tabs, just leave the page open that has the video I want (or song, works on mp3's as well).

Then, while wireshark is running, I restart it so its got a clean pcap. Then refresh the website with the video. If there is an ad, watch the ad all the way through, as the link for the main vid might not show up until after the ad is done playing. Once your video starts playing a bit, stop the capture.

Now hit CTRL+F and bring up the search dialog box. You will have three options to choose from. Click the radio button for string, and then look for .flv. If the video is in native flash flv format, you should get a hit. Include the period in the search as well. If nothing found, move on to the next search, using .mp4. MP4 files are used in a lot of places these days, and can be streamed dirctly through flash without needing to be converted to .flv first, so this is also a good one to check for. If either of those searches produces a hit, it will highlight the packet it first sees that phrase in. Right click this packet and do a "follow tcp stream". In here, you will see both the http GET requests, as well as the output. What you want to do now is, look for the GET request that ends in .flv or .mp4. Copy the GET request partial url, as well as the host name. Something similar to the following:

GET /somepath/blah/somefile.flv HTTP/1.1
User-Agent: Mozilla 5.0
Host: www.somesite.com
Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/webp, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1

You can then construct the url and paste it into your browser. Not every site will show you this in the sourcecode of the site itself. Its often obfuscated in some manner, and might throw you off, by pointing to something like ?fileID=112908109289 or just a hash name variable that the page pulls serverside and returns to the user without seeing the actual file url.

A reconstructed url from the above example would be "http://www.somesite.com/somepath/blah/somefile.flv"

Now, some sites might not have file name extensions at all and might just point to a hash or string of some manner. For this, they often have XML files as well describing the links, so you can also search the packets for any XML playlists which contain the path and string that you can then pop in the address bar of your browser, and spit out the file.

Again, if these are any type or stream format, like rtsp, you will need a stream recorder that can capture the video and write to file on the fly. You would also have to watch the entire video to download it if that is the case. Some programs can even reconstruct them from the raw pcaps, such as Network Miner, but usually only when they have a file extension that it can recognize. http://www.netresec.com/?page=NetworkMiner

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Can you link to the video you want though? Want to see if I can get it. might not, I don't live in the UK, and know they might geo ip block me. Don't have a vpn or proxy in uk either, but still worth a shot.

Link to comment
Share on other sites
Infiltrator Newbie

Infiltrator

Posted
Posted

@Hackmeifyoucan,

Found this thread quite interesting, I thought you might like it

http://streemeboxvcr.yuku.com/topic/2238

Link to comment
Share on other sites
hackmeifyoucan Newbie

hackmeifyoucan

Posted
  • Author
Posted

Can you link to the video you want though? Want to see if I can get it. might not, I don't live in the UK, and know they might geo ip block me. Don't have a vpn or proxy in uk either, but still worth a shot.

Well I don't live in the UK either, but the video is accessible worldwide.

I have posted the link already, but here it is again: http://www.bbc.co.uk/news/uk-14458424

Meanwhile the same video is available on youtube, but I am curious if it can be done to get it directly from the bbc.

Cheers

Hackmeifyoucan

Link to comment
Share on other sites
hackmeifyoucan Newbie

hackmeifyoucan

Posted
  • Author
Posted (edited)

@Hackmeifyoucan,

Found this thread quite interesting, I thought you might like it

http://streemeboxvcr.yuku.com/topic/2238

Hi Infiltrator,

I am a regular user of get-iplayer and have been for some time. I wrote a little bash script to make things a little more comfortable (since I need to use a proxy).

Thanx anyway

Hackmeifyoucan

BTW: Why is there no option to edit one's posting? Now I had to post twice!?

[Edit] And now there is one, very strange! [/Edit]

Edited by hackmeifyoucan
Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Wow you did it! I must say I am impressed. (I tried but didn't quite manage)

Did you use rtmpdump? If so how did you put the URL together?

Hackmeifyoucan

All from wireshark, found the url of the mp4, downloaded file via my browser.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...