How to Extract a Video from Wireshark Capture

As we know, Wireshark is a very useful open-source networking tool. There are many ways in which we can use the Wireshark tool. One of its usages is to get any number of files (media, binary, http, gif, png, text file, etc.) back from the Wireshark packets. It’s like sending some data over the network and then captured the packets in Wireshark. Now, doing some reverse engineering, we can get back the same data that was sent over the network.

In this article, we will learn how we can get back any media file from Wireshark capture. Let us first understand the prerequisite for this activity.


There are some prerequisites to perform this because we cannot just take a random Wireshark capture and start applying the same steps to extract the media file.

  1. We should know that some Video frame are captured in Wireshark file.
  2. It has to be HTTP frames. Although we are not sure if we can do it for HTTPS since we cannot decrypt the HTTPS due to SSL encryption.
  3. We should also know the extension of the file like “.mpeg”. Otherwise, we can try some other video extension. That may also work.
  4. The capture should have enough packets to get some data or media file.

Steps to Extract the Video File

In our capture, we already know that there are video streaming packets. We can also see the video stream HTTP packets over TCP in the capture file. So, as per the prerequisite list, we have some hope to get one media file.

Here is the sniffer capture file:

Step 1: Find Out an Appropriate TCP Stream
Let us use the “http” filter in Wireshark to get all http frames. Then, we can move forward.

Here is the output:


Step 2: Follow the TCP Stream
Now, right-click on frame number 18. Then, click on Follow. Then, click on TCP stream.

Step 3: TCP Stream Window
We will see one new window on top of the actual Wireshark window like in the following screenshot:

We also noticed that a “tcp.stream eq 2” filter is applied on Wireshark back window.

Now, let us go back to the front window.

Step 4: ASCII to RAW
In this window, the “Show data as” is selected as “ASCII”. We need to change this to “RAW”.

After selecting “RAW”, here is the output:

Step 5: Save the RAW File
Save this RAW content to our system with a file name with extension by clicking “Save as”. Example of a file name with extension: “video.mpeg”

Close the Wireshark front window. This is not required any more.

Step 6: Play the Video
Go to the location and play the video on KMPlayer (we used this Media Player). Now, it’s playing without any error. It’s football match between INT and SHK.

Here is the following screenshot:

This means that we successfully extracted the video from Wireshark packets.


This is how we can extract a video or a streaming live video from a Wireshark capture. We learned a new thing using Wireshark. This helps us to apply the same steps to another capture and get another type of data.

About the author

Bamdeb Ghosh

Bamdeb Ghosh is having hands-on experience in Wireless networking domain.He's an expert in Wireshark capture analysis on Wireless or Wired Networking along with knowledge of Android, Bluetooth, Linux commands and python. Follow his site: wifisharks.com