Audio/video stream recording forums (http://stream-recorder.com/forum/index.php)

- Video stream recording (http://stream-recorder.com/forum/forumdisplay.php?f=4)

- -

Advanced stream recording using Wireshark

(http://stream-recorder.com/forum/showthread.php?t=12704)

Advanced stream recording using Wireshark

Hello.

I have an IPTV device hooked up to my television and I'm curious to know where the streams are coming from.

I was able to capture the raw packets from the IPTV device wirelessly using Pirni (for iPhone) and I have a lot of RTMPT traffic in the capture.

Problem is I am not seeing enough information to be able to play the streams on my computer.

I can see the "Connect" to their server. But the "Playpath" parameter seems to be encrypted.

For example:

I see a Connect to 'rtmp://91.232.136.6:1935/sedge'

Then I see a Create Stream.

Then a FCSubscribe with "String 'AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUl BNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5Cl afSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V 4b1mMq3FU8OJPEGhIKjbKI='

and finally the Play with String 'AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUl BNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5Cl afSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V 4b1mMq3FU8OJPEGhIKjbKI='

The "Play" string looks like the Playpath but it seems to be encrypted.

When I drop this in rtmpdump I get the following:

Code:

C:\rtmpdump>rtmpdump -r "rtmp://91.232.136.6:1935/sedge" -y "AKuOuDtzNHyvwotDemO

EietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5Cl

afSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V4b1mMq3FU8OJPEGhIKjbKI=" -d "A

KuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2S

UK55CI7w7Pz6JOz5ClafSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V4b1mMq3FU8OJ

PEGhIKjbKI=" -v -V | vlc -

RTMPDump 2.4 git-6230845 2011-9-25

(c) 2010 Andrej Stepanchuk, Howard Chu, The Flvstreamer Team; license: GPL

WARNING: You haven't specified an output file (-o filename), using stdout

DEBUG: Protocol : RTMP

DEBUG: Hostname : 91.232.136.6

DEBUG: Port     : 1935

DEBUG: Playpath : AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QBWN

oVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5ClafSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMoj

qhb7T4V4b1mMq3FU8OJPEGhIKjbKI=

DEBUG: tcUrl    : rtmp://91.232.136.6:1935/sedge

DEBUG: app      : sedge

DEBUG: subscribepath : AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE

6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5ClafSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N37

1WMojqhb7T4V4b1mMq3FU8OJPEGhIKjbKI=

DEBUG: live     : yes

DEBUG: timeout  : 30 sec

DEBUG: Setting buffer time to: 36000000ms

Connecting ...

DEBUG: RTMP_Connect1, ... connected, handshaking

DEBUG: HandShake: Type Answer   : 03

DEBUG: HandShake: Server Uptime : 96850052

DEBUG: HandShake: FMS Version   : 3.0.1.1

DEBUG: HandShake: Handshaking finished....

DEBUG: RTMP_Connect1, handshaked

DEBUG: Invoking connect

INFO: Connected...

DEBUG: HandleServerBW: server BW = 2500000

DEBUG: HandleClientBW: client BW = 2500000 2

DEBUG: HandleCtrl, received ctrl. type: 0, len: 6

DEBUG: HandleCtrl, Stream Begin 0

DEBUG: HandleChangeChunkSize, received: chunk size change to 4096

DEBUG: RTMP_ClientPacket, received: invoke 259 bytes

DEBUG: (object begin)

DEBUG: (object begin)

DEBUG: Property: <Name:             fmsVer, STRING:     FMS/3,5,4,210>

DEBUG: Property: <Name:       capabilities, NUMBER:     31.00>

DEBUG: Property: <Name:               mode, NUMBER:     1.00>

DEBUG: (object end)

DEBUG: (object begin)

DEBUG: Property: <Name:              level, STRING:     status>

DEBUG: Property: <Name:               code, STRING:     NetConnection.Connect.Su

ccess>

DEBUG: Property: <Name:        description, STRING:     Connection succeeded.>

DEBUG: Property: <Name:               data, OBJECT>

DEBUG: (object begin)

DEBUG: Property: <Name:            version, STRING:     3,5,4,210>

DEBUG: (object end)

DEBUG: Property: <Name:           clientid, NUMBER:     499847536.00>

DEBUG: Property: <Name:     objectEncoding, NUMBER:     0.00>

DEBUG: (object end)

DEBUG: (object end)

DEBUG: HandleInvoke, server invoking <_result>

DEBUG: HandleInvoke, received result for method call <connect>

DEBUG: sending ctrl. type: 0x0003

DEBUG: Invoking createStream

DEBUG: FCSubscribe: AKuOuDtzNHyvwotDemOEietAmj4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QB

WNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5ClafSjEK4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WM

ojqhb7T4V4b1mMq3FU8OJPEGhIKjbKI=

DEBUG: Invoking FCSubscribe

DEBUG: RTMP_ClientPacket, received: invoke 29 bytes

DEBUG: (object begin)

DEBUG: Property: NULL

DEBUG: (object end)

DEBUG: HandleInvoke, server invoking <_result>

DEBUG: HandleInvoke, received result for method call <createStream>

DEBUG: SendPlay, seekTime=0, stopTime=0, sending play: AKuOuDtzNHyvwotDemOEietAm

j4OjchYtD1qxn1E4DOKf4JUlBNw5tfQE6QBWNoVxUyuWmW_vaM7VoP2SUK55CI7w7Pz6JOz5ClafSjEK

4MvHOX2l86ggumDKi7WOneCOr_Hd6N371WMojqhb7T4V4b1mMq3FU8OJPEGhIKjbKI=

DEBUG: Invoking play

DEBUG: sending ctrl. type: 0x0003

DEBUG: RTMP_ClientPacket, received: invoke 142 bytes

DEBUG: (object begin)

DEBUG: Property: NULL

DEBUG: (object begin)

DEBUG: Property: <Name:              level, STRING:     status>

DEBUG: Property: <Name:               code, STRING:     NetStream.Play.Start>

DEBUG: Property: <Name:        description, STRING:     FCSubscribe to stream no

t-found.>

DEBUG: Property: <Name:           clientid, NUMBER:     499847536.00>

DEBUG: (object end)

DEBUG: (object end)

DEBUG: HandleInvoke, server invoking <onFCSubscribe>

DEBUG: RTMP_ClientPacket, received: invoke 194 bytes

DEBUG: (object begin)

DEBUG: Property: NULL

DEBUG: (object begin)

DEBUG: Property: <Name:              level, STRING:     status>

DEBUG: Property: <Name:               code, STRING:     NetStream.Play.Unpublish

Notify>

DEBUG: Property: <Name:        description, STRING:     rtmp://eu-origin.zaaptv.

com:1935/origin/_definst_/not-found is now unpublished.>

DEBUG: Property: <Name:           clientid, NUMBER:     499847536.00>

DEBUG: (object end)

DEBUG: (object end)

DEBUG: HandleInvoke, server invoking <onStatus>

DEBUG: HandleInvoke, onStatus: NetStream.Play.UnpublishNotify

DEBUG: Invoking deleteStream

DEBUG: Closing connection.

What's interesting is the RTMPDUMP output is exposing the following (highlighted in blue above):

rtmp://eu-origin.zaaptv.com:1935/origin/_definst_/not-found

Any idea how I can get this FCSubscribe and the actual Playpath?

I feel like I'm almost there, just need some help to finish the last mile. Thanks in advance.

Re: Advanced stream recording using Wireshark

When I did a search for this rtmp server in blue above I came across another post on this forum and the guy found the following:

rtmp://eu-origin.zaaptv.com:1935/origin/_definst_/mux-udp-388

Ok now forgetting everything above, when I try rtmpdump for just this stream it WORKS but only plays for a few seconds. Here is the output:

Code:

C:\rtmpdump>rtmpdump -r "rtmp://eu-origin.zaaptv.com:1935/origin/_definst_/mux-u

dp-388" -v -p "zaaptv.com" | vlc -

RTMPDump 2.4 git-6230845 2011-9-25

(c) 2010 Andrej Stepanchuk, Howard Chu, The Flvstreamer Team; license: GPL

WARNING: You haven't specified an output file (-o filename), using stdout

Connecting ...

INFO: Connected...

Starting Live Stream

INFO: Metadata:

INFO:   audiochannels         2.00

INFO:   audiosamplerate       48000.00

INFO:   audiocodecid          mp4a

INFO:   videocodecid          avc1

INFO:   width                 720.00

INFO:   height                576.00

INFO:   frameWidth            720.00

INFO:   frameHeight           576.00

INFO:   displayWidth          720.00

INFO:   displayHeight         576.00

INFO: trackinfo:

INFO:   timescale             0.00

INFO:   language              eng

INFO: sampledescription:

INFO:   sampletype

INFO:   type                  audio

INFO:   config                1190

INFO:   description           {AACFrame: size: 0, rate: 48000, channels: 2, samp

les: 1024, errorBitsAbsent: true, profileObjectType: "LC"}

INFO:   timescale             0.00

INFO:   language              eng

INFO: sampledescription:

INFO:   sampletype

INFO:   type                  video

INFO:   profile-level-id      42c01e

INFO:   sprop-parameter-sets  Z0LAHtoC0Em/8AEAAPEAAAMAAQAAAwAyDxYuoAA=,aM4yyA==

INFO:   description           {H264CodecConfigInfo: profile: "Baseline", level:

3.0, frameSize: 720x576, displaySize: 768x576, PAR: 16:15}

INFO: rtpsessioninfo:

INFO:   connectiondata        IN IP4 0.0.0.0

INFO:   name                  WowzaMediaServerPro MPEG-TS

INFO:   origin                - 1398695077 1398695077 IN IP4 127.0.0.1

INFO:   timing                0 0

INFO:   protocolversion       0

INFO: attributes:

INFO:   range                 npt=now-

114.669 kB / 0.03 sec

ERROR: RTMP_ReadPacket, failed to read RTMP packet body. len: 2727

125.710 kB / 0.21 sec

Download complete

I think I need the Swfurl or Pageurl to make it play properly. But how do I find that?

Any thoughts on how to make it play consistently? Ideas?

Re: Advanced stream recording using Wireshark

Quote:

Originally Posted by Forum rules v1.1

If you truly want definitive answers quickly and without
delay, please include link(s) to the web-page(s) with video(s) you supposedly
can't capture.

stream-recorder.com/forum/announcement.php?f=4

Re: Advanced stream recording using Wireshark

Quote:

Originally Posted by svnpenn (Post 46932)

stream-recorder.com/forum/announcement.php?f=4

Sure. Again the stream is right here:

rtmp://eu-origin.zaaptv.com:1935/origin/_definst_/mux-udp-388

Here is another:

rtmp://us-origin.zaaptv.com:1935/origin/_definst_/mux-udp-144

This is from an IPTV set-top-box. So there is no website to speak of.

The previous post was describing my efforts to try to capture streams from the set-top-box by inspecting a wireshark trace manually. It appears the stream is encrypted. So again, in that instance I have no website or stream to speak of (yet).

Thanks for your help.

Re: Advanced stream recording using Wireshark

Quote:

Originally Posted by avirex

This is from an IPTV set-top-box. So there is no website to speak of

You need to create a file that contains the RTMP handshake.

Normally if you were using a computer with Firefox the handshake is captured in the RAM, under the process plugin-container.exe. From there you can dump the memory of that process using ProcDump. It creates a file called plugin-container.dmp. This file contains a capture of the process memory, which in turn includes the RTMP handshake as well as first part of the video. You cannot capture the video data because it is encrypted, but you can capture the handshake, which is in plain text. From the file you could do a simple grep command

Code:

grep swf plugin-container.dmp

Your main trouble is capturing this handshake to a file. If you can figure a way to do that then the rest should be easy.

Re: Advanced stream recording using Wireshark

Quote:

Originally Posted by svnpenn (Post 46936)

Code:

grep swf plugin-container.dmp

Your main trouble is capturing this handshake to a file. If you can figure a way to do that then the rest should be easy.

Hi Steven.

I have the "handshake" from the network trace, and these are RTMP packets. There is "Handshake C2" and "Handshake C0+C1". Is that going to help?

Re: Advanced stream recording using Wireshark

Quote:

Originally Posted by avirex

I have the "handshake" from the network trace, and these are RTMP packets. There is "Handshake C2" and "Handshake C0+C1". Is that going to help?

You need to initiate a handshake on your device (for example starting a video). The raw binary data of this handshake needs to be captured
in a file, so that it can be parsed.

Re: Advanced stream recording using Wireshark

Hello Professionals

How can i hooked my IPTV to pc

I got 2usb Slot Network Slot HDMI slot i tired with wireshark but nö sucess

louis vuitton handbags

Re: louis vuitton handbags

what is replica lv handbags ???