EDIT: I assume that everyone who has the bandwith to download RTMP streams has the bandwidth to view full images, so I didn't link to thumbnails. : )
So, in this tutorial, I'll show you how to download RTMP streams under Linux. In this tutorial, I'll going to be dumping a song from
Napster (specifically, this one: hxxp://music.napster.com/london-symphony-orchestra,-antal-dor%C3%A1ti-music/album/enesco%3A-roumanian-rhapsody-no.1-_-liszt%3A-hungarian-rhapsodies-nos.1-6/12181167).
The first thing to do is to install
RTMPdump and
gdb. You can do this with the package manager for your distro:
Code:
#Arch Linux:
pacman -Sy rtmpdump gdb
#Ubuntu and Debian
apt-get install rtmpdump gdb
#Fedora (with ATRpms repository: http://atrpms.net)
yum install rtmpdump gdb
#Mandriva and Mageia
urpmi rtmpdump gdb
If your distro doesn't provide binary packages, you will need to compile from source (Gentoo, Slackware, etc.).
We are going to be using
rtmpsrv to generate the command needed to download the file. For rtmpsrv to work, you need to redirect all outgoing TCP connections to port 1935 on localhost. I suggest closing all unnecessary tabs and downloading programs. It will slow down rtmpsrv. Use iptables to redirect the connections. As root, run:
Code:
iptables -t nat -A OUTPUT -p tcp --dport 1935 -j REDIRECT
Then run as a normal user:
Before continuing, you should kill all flash player processes. It will make finding the PID easier later. To do that, run:
Code:
ps aux | grep flash
to list processes containing the string "flash" in the name. And then kill the processes by running: (replace 0000 with the PID. It's the second column of the previous command)
Now, browse to the page with the media file and start playing it. At this point, rtmpsrv has already generated the command for download the RTMP stream. The reason rtmpsrv couldn't automatically download the stream is because we told iptables to redirect ALL TCP connections to localhost on port 1935. An RTMP connection is a TCP connection, so essentially, it's trying to download from itself. So now, we have to remove that iptables rule. To do that, run:
Code:
iptables -t nat -D OUTPUT -p tcp --dport 1935 -j REDIRECT
(Notice that the iptables command uses "-D" instead of "-A". "-A" means add rule and "-D" means delete rule
)
Now, you can close rtmpsrv by pressing Control C and then copying and pasting that huge command starting with "rtmpdump -r ..." to download the stream.
What if that command fails?
Well, in this case we can dump the memory of the flash player process and search for the "rtmp" URI. Run:
Code:
ps aux | grep flash
to find the PID (second column) of the process:
Now attach to the process with gdb (a free debugger):
A lot of "Loading symbols" messages will fly by, and then you'll see this:
Now type in "gcore" to perform a core memory dump of the process. It will create a file called core.PID.
Exit gdb by typing "quit." Type in "y" when it asks if you want to detach from the process. Now, open the core dump in a hex editor. I recommend using Okteta if you use KDE since it handle large files very well. The core dump will be at least 100MB. So, open the file in a hex editor:
and search for the string (in Unicode or UTF-8) "rtmp://":
Voila! There's the RTMP stream:
Then, run the command generated by rtmpsrv again, but this time, replacing the generated stream URI with the one you found:
Success! But since I can't post 11 images:
http://i.imgur.com/M0acF.png
EDIT: Of course this all means nothing without proof:
http://i.imgur.com/pqP6z.png
Hope this helps!