Advanced stream recording using Wireshark

avirex · #1 05-30-2012, 04:14 PM

Hello.

I have an IPTV device hooked up to my television and I'm curious to know where the streams are coming from.

I was able to capture the raw packets from the IPTV device wirelessly using Pirni (for iPhone) and I have a lot of RTMPT traffic in the capture.

Problem is I am not seeing enough information to be able to play the streams on my computer.

I can see the "Connect" to their server. But the "Playpath" parameter seems to be encrypted.

For example:

I see a Connect to 'rtmp://91.232.136.6:1935/sedge'

Then I see a Create Stream.

Then a FCSubscribe with "String 'AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUl BNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5Cl afSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V 4b1mMq3FU8OJPEGhIKjbKI='

and finally the Play with String 'AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUl BNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5Cl afSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V 4b1mMq3FU8OJPEGhIKjbKI='

The "Play" string looks like the Playpath but it seems to be encrypted.

When I drop this in rtmpdump I get the following:

Code:

C:\rtmpdump>rtmpdump -r "rtmp://91.232.136.6:1935/sedge" -y "AKuOuDtzNHyvwotDemO
EietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5Cl
afSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V4b1mMq3FU8OJPEGhIKjbKI=" -d "A
KuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2S
UK55CI7w7Pz6JOz5ClafSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V4b1mMq3FU8OJ
PEGhIKjbKI=" -v -V | vlc -
RTMPDump 2.4 git-6230845 2011-9-25
(c) 2010 Andrej Stepanchuk, Howard Chu, The Flvstreamer Team; license: GPL
WARNING: You haven't specified an output file (-o filename), using stdout
DEBUG: Protocol : RTMP
DEBUG: Hostname : 91.232.136.6
DEBUG: Port     : 1935
DEBUG: Playpath : AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QBWN
oVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5ClafSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMoj
qhb7T4V4b1mMq3FU8OJPEGhIKjbKI=
DEBUG: tcUrl    : rtmp://91.232.136.6:1935/sedge
DEBUG: app      : sedge
DEBUG: subscribepath : AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE
6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5ClafSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N37
1WMojqhb7T4V4b1mMq3FU8OJPEGhIKjbKI=
DEBUG: live     : yes
DEBUG: timeout  : 30 sec
DEBUG: Setting buffer time to: 36000000ms
Connecting ...
DEBUG: RTMP_Connect1, ... connected, handshaking
DEBUG: HandShake: Type Answer   : 03
DEBUG: HandShake: Server Uptime : 96850052
DEBUG: HandShake: FMS Version   : 3.0.1.1
DEBUG: HandShake: Handshaking finished....
DEBUG: RTMP_Connect1, handshaked
DEBUG: Invoking connect
INFO: Connected...
DEBUG: HandleServerBW: server BW = 2500000
DEBUG: HandleClientBW: client BW = 2500000 2
DEBUG: HandleCtrl, received ctrl. type: 0, len: 6
DEBUG: HandleCtrl, Stream Begin 0
DEBUG: HandleChangeChunkSize, received: chunk size change to 4096
DEBUG: RTMP_ClientPacket, received: invoke 259 bytes
DEBUG: (object begin)
DEBUG: (object begin)
DEBUG: Property: <Name:             fmsVer, STRING:     FMS/3,5,4,210>
DEBUG: Property: <Name:       capabilities, NUMBER:     31.00>
DEBUG: Property: <Name:               mode, NUMBER:     1.00>
DEBUG: (object end)
DEBUG: (object begin)
DEBUG: Property: <Name:              level, STRING:     status>
DEBUG: Property: <Name:               code, STRING:     NetConnection.Connect.Su
ccess>
DEBUG: Property: <Name:        description, STRING:     Connection succeeded.>
DEBUG: Property: <Name:               data, OBJECT>
DEBUG: (object begin)
DEBUG: Property: <Name:            version, STRING:     3,5,4,210>
DEBUG: (object end)
DEBUG: Property: <Name:           clientid, NUMBER:     499847536.00>
DEBUG: Property: <Name:     objectEncoding, NUMBER:     0.00>
DEBUG: (object end)
DEBUG: (object end)
DEBUG: HandleInvoke, server invoking <_result>
DEBUG: HandleInvoke, received result for method call <connect>
DEBUG: sending ctrl. type: 0x0003
DEBUG: Invoking createStream
DEBUG: FCSubscribe: AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QB
WNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5ClafSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WM
ojqhb7T4V4b1mMq3FU8OJPEGhIKjbKI=
DEBUG: Invoking FCSubscribe
DEBUG: RTMP_ClientPacket, received: invoke 29 bytes
DEBUG: (object begin)
DEBUG: Property: NULL
DEBUG: (object end)
DEBUG: HandleInvoke, server invoking <_result>
DEBUG: HandleInvoke, received result for method call <createStream>
DEBUG: SendPlay, seekTime=0, stopTime=0, sending play: AKuOuDtzNHyvwotDemOEietAm
j4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5ClafSjEK
4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V4b1mMq3FU8OJPEGhIKjbKI=
DEBUG: Invoking play
DEBUG: sending ctrl. type: 0x0003
DEBUG: RTMP_ClientPacket, received: invoke 142 bytes
DEBUG: (object begin)
DEBUG: Property: NULL
DEBUG: (object begin)
DEBUG: Property: <Name:              level, STRING:     status>
DEBUG: Property: <Name:               code, STRING:     NetStream.Play.Start>
DEBUG: Property: <Name:        description, STRING:     FCSubscribe to stream no
t-found.>
DEBUG: Property: <Name:           clientid, NUMBER:     499847536.00>
DEBUG: (object end)
DEBUG: (object end)
DEBUG: HandleInvoke, server invoking <onFCSubscribe>
DEBUG: RTMP_ClientPacket, received: invoke 194 bytes
DEBUG: (object begin)
DEBUG: Property: NULL
DEBUG: (object begin)
DEBUG: Property: <Name:              level, STRING:     status>
DEBUG: Property: <Name:               code, STRING:     NetStream.Play.Unpublish
Notify>
DEBUG: Property: <Name:        description, STRING:     rtmp://eu-origin.zaaptv.
com:1935/origin/_definst_/not-found is now unpublished.>
DEBUG: Property: <Name:           clientid, NUMBER:     499847536.00>
DEBUG: (object end)
DEBUG: (object end)
DEBUG: HandleInvoke, server invoking <onStatus>
DEBUG: HandleInvoke, onStatus: NetStream.Play.UnpublishNotify
DEBUG: Invoking deleteStream
DEBUG: Closing connection.

What's interesting is the RTMPDUMP output is exposing the following (highlighted in blue above):

rtmp://eu-origin.zaaptv.com:1935/origin/_definst_/not-found

Any idea how I can get this FCSubscribe and the actual Playpath?

I feel like I'm almost there, just need some help to finish the last mile. Thanks in advance.

avirex · #2 05-30-2012, 04:56 PM

When I did a search for this rtmp server in blue above I came across another post on this forum and the guy found the following:

rtmp://eu-origin.zaaptv.com:1935/origin/_definst_/mux-udp-388

Ok now forgetting everything above, when I try rtmpdump for just this stream it WORKS but only plays for a few seconds. Here is the output:

Code:

C:\rtmpdump>rtmpdump -r "rtmp://eu-origin.zaaptv.com:1935/origin/_definst_/mux-u
dp-388" -v -p "zaaptv.com" | vlc -
RTMPDump 2.4 git-6230845 2011-9-25
(c) 2010 Andrej Stepanchuk, Howard Chu, The Flvstreamer Team; license: GPL
WARNING: You haven't specified an output file (-o filename), using stdout
Connecting ...
INFO: Connected...
Starting Live Stream
INFO: Metadata:
INFO:   audiochannels         2.00
INFO:   audiosamplerate       48000.00
INFO:   audiocodecid          mp4a
INFO:   videocodecid          avc1
INFO:   width                 720.00
INFO:   height                576.00
INFO:   frameWidth            720.00
INFO:   frameHeight           576.00
INFO:   displayWidth          720.00
INFO:   displayHeight         576.00
INFO: trackinfo:
INFO:   timescale             0.00
INFO:   language              eng
INFO: sampledescription:
INFO:   sampletype
INFO:   type                  audio
INFO:   config                1190
INFO:   description           {AACFrame: size: 0, rate: 48000, channels: 2, samp
les: 1024, errorBitsAbsent: true, profileObjectType: "LC"}
INFO:   timescale             0.00
INFO:   language              eng
INFO: sampledescription:
INFO:   sampletype
INFO:   type                  video
INFO:   profile-level-id      42c01e
INFO:   sprop-parameter-sets  Z0LAHtoC0Em/8AEAAPEAAAMAAQAAAwAyDxYuoAA=,aM4yyA==
INFO:   description           {H264CodecConfigInfo: profile: "Baseline", level:
3.0, frameSize: 720x576, displaySize: 768x576, PAR: 16:15}
INFO: rtpsessioninfo:
INFO:   connectiondata        IN IP4 0.0.0.0
INFO:   name                  WowzaMediaServerPro MPEG-TS
INFO:   origin                - 1398695077 1398695077 IN IP4 127.0.0.1
INFO:   timing                0 0
INFO:   protocolversion       0
INFO: attributes:
INFO:   range                 npt=now-
114.669 kB / 0.03 sec
ERROR: RTMP_ReadPacket, failed to read RTMP packet body. len: 2727
125.710 kB / 0.21 sec
Download complete

I think I need the Swfurl or Pageurl to make it play properly. But how do I find that?

Any thoughts on how to make it play consistently? Ideas?

svnpenn · #3 05-31-2012, 07:16 PM

Quote:

Originally Posted by Forum rules v1.1

If you truly want definitive answers quickly and without
delay, please include link(s) to the web-page(s) with video(s) you supposedly
can't capture.

stream-recorder.com/forum/announcement.php?f=4

avirex · #4 05-31-2012, 08:02 PM

Quote:

Originally Posted by svnpenn

stream-recorder.com/forum/announcement.php?f=4

Sure. Again the stream is right here:

rtmp://eu-origin.zaaptv.com:1935/origin/_definst_/mux-udp-388

Here is another:

rtmp://us-origin.zaaptv.com:1935/origin/_definst_/mux-udp-144

This is from an IPTV set-top-box. So there is no website to speak of.

The previous post was describing my efforts to try to capture streams from the set-top-box by inspecting a wireshark trace manually. It appears the stream is encrypted. So again, in that instance I have no website or stream to speak of (yet).

Thanks for your help.

svnpenn · #5 05-31-2012, 08:21 PM

Quote:

Originally Posted by avirex

This is from an IPTV set-top-box. So there is no website to speak of

You need to create a file that contains the RTMP handshake.

Normally if you were using a computer with Firefox the handshake is captured in the RAM, under the process plugin-container.exe. From there you can dump the memory of that process using ProcDump. It creates a file called plugin-container.dmp. This file contains a capture of the process memory, which in turn includes the RTMP handshake as well as first part of the video. You cannot capture the video data because it is encrypted, but you can capture the handshake, which is in plain text. From the file you could do a simple grep command

Code:

grep swf plugin-container.dmp

Your main trouble is capturing this handshake to a file. If you can figure a way to do that then the rest should be easy.

avirex · #6 05-31-2012, 11:40 PM

Quote:

Originally Posted by svnpenn

You need to create a file that contains the RTMP handshake.

Normally if you were using a computer with Firefox the handshake is captured in the RAM, under the process plugin-container.exe. From there you can dump the memory of that process using ProcDump. It creates a file called plugin-container.dmp. This file contains a capture of the process memory, which in turn includes the RTMP handshake as well as first part of the video. You cannot capture the video data because it is encrypted, but you can capture the handshake, which is in plain text. From the file you could do a simple grep command

Code:

grep swf plugin-container.dmp

Your main trouble is capturing this handshake to a file. If you can figure a way to do that then the rest should be easy.

Hi Steven.

I have the "handshake" from the network trace, and these are RTMP packets. There is "Handshake C2" and "Handshake C0+C1". Is that going to help?

svnpenn · #7 06-01-2012, 12:00 AM

Quote:

Originally Posted by avirex

I have the "handshake" from the network trace, and these are RTMP packets. There is "Handshake C2" and "Handshake C0+C1". Is that going to help?

You need to initiate a handshake on your device (for example starting a video). The raw binary data of this handshake needs to be captured
in a file, so that it can be parsed.