How to extract live video file from Wireshark Capture?
We have one capture file which contains live video stream (.mpeg format). This live video stream packet is TCP packet over HTTP connection. Let’s see how we can extract the live video from TCP data from capture using Wireshark.
♣ Watch Wireshark demo:
Download the capture from here.
Open the capture in Wireshark. It looks like this
We need to find out appropriate TCP stream or HTTP frame. After putting “http” filter in Wireshark we can see only 3 packets like below.
Packet number 7 is HTTP get and packet number 11 is the HTTP reply. So this is not the HTTP packet we are looking for. We should see many TCP data packets after HTTP GET.
Now if we select packet number 18 (HTTP GET) we can see TCP src port as 44940 and dest port as 8080. Then we can see same ports are being used for further TCP frames in capture. So frame 18 is the frame we are looking for. Here is the screenshot for graphical understanding.
Note: We can do follow TCP stream on HTTP frame or TCP frame.
Now follow below screenshot steps
b. You will see below new window
c. Select Raw->Save as.
Note: You need to wait to let Wireshark process all packets into Raw data.
d. Give file name with known extension [Must]. Here extension is .mpeg.
e. Now go the live.mpeg and play it with KMPlayer or supported player. Here is the snapshot for live video.
One observation is, we can see “tcp.stream eq 2” filter got applied on Wireshark main window when “follow TCP stream” was clicked.
This is one working method to extract live video file from Wireshark. This process may not work if the connection is HTTPS or any other frame is missing. But still we got something new right ☺.
♥♥If you have any doubts or query please let me know in comment section or send mail at firstname.lastname@example.org.♥♥