How to Extract a Video from Wireshark Capture

As we know, Wireshark is a very useful open-source networking tool. There are many ways in which we can use the Wireshark tool. One of its usages is to get any number of files (media, binary, http, gif, png, text file, etc.) back from the Wireshark packets. It’s like sending some data over the network and then captured the packets in Wireshark. Now, doing some reverse engineering, we can get back the same data that was sent over the network.

In this article, we will learn how we can get back any media file from Wireshark capture. Let us first understand the prerequisite for this activity.

Prerequisite:

There are some prerequisites to perform this because we cannot just take a random Wireshark capture and start applying the same steps to extract the media file.

1. We should know that some Video frame are captured in Wireshark file.
2. It has to be HTTP frames. Although we are not sure if we can do it for HTTPS since we cannot decrypt the HTTPS due to SSL encryption.
3. We should also know the extension of the file like “.mpeg”. Otherwise, we can try some other video extension. That may also work.
4. The capture should have enough packets to get some data or media file.

Steps to Extract the Video File

In our capture, we already know that there are video streaming packets. We can also see the video stream HTTP packets over TCP in the capture file. So, as per the prerequisite list, we have some hope to get one media file.

Here is the sniffer capture file:

Step 1: Find Out an Appropriate TCP Stream
Let us use the “http” filter in Wireshark to get all http frames. Then, we can move forward.

Here is the output:

Here:

• Packet number 7 is an HTTP GET request. Here is the URL:
  [Full request URI: http://line.protv.cc:8000/live/8f694e5c5f/c014c2c945/1026.ts]
• Packet number 11 is the HTTP reply which says, “HTTP 302 found”.
  Status Code: 302 and File Data: 0 bytes
  We cannot get any further data from this frame.

  These are not the required frames. Let us see the next frame.

• Packet number 18 is another HTTP GET request frame.
  [Full request URI [truncated]: http://82.199.136.35:8080/live/8f694e5c5f/c014c2c945/1026.tstoken=TkBaBUdbFV
  8QAAVeBwAKAldbUVVUV1ADUwZXUwRQAwQHB1ZcBAtWAQYSShoVQEFRUFQ
  8XwIUCVBVB1BJEEZCBEc9WwAWCRVXBgVVDV/nIWHxZFUA5TRAwCVFwCX1
  YHAwFTGUBCDVARDUcAA]

  In this frame, we can see the Transmission Control Protocol where the Source Port is 44940 and the Destination Port is 8080.

  Now, remove the “http” filter in Wireshark. Then, we can see that all further TCP frames are with same port numbers. Now, we get some required TCP frames. These frames may be useful.

Step 2: Follow the TCP Stream
Now, right-click on frame number 18. Then, click on Follow. Then, click on TCP stream.

Step 3: TCP Stream Window
We will see one new window on top of the actual Wireshark window like in the following screenshot:

We also noticed that a “tcp.stream eq 2” filter is applied on Wireshark back window.

Now, let us go back to the front window.

Step 4: ASCII to RAW
In this window, the “Show data as” is selected as “ASCII”. We need to change this to “RAW”.

After selecting “RAW”, here is the output:

Step 5: Save the RAW File
Save this RAW content to our system with a file name with extension by clicking “Save as”. Example of a file name with extension: “video.mpeg”

Close the Wireshark front window. This is not required any more.

Step 6: Play the Video
Go to the location and play the video on KMPlayer (we used this Media Player). Now, it’s playing without any error. It’s football match between INT and SHK.

Here is the following screenshot:

This means that we successfully extracted the video from Wireshark packets.

Conclusion

This is how we can extract a video or a streaming live video from a Wireshark capture. We learned a new thing using Wireshark. This helps us to apply the same steps to another capture and get another type of data.