Skip navigation

Creative Commons License

Outcome: To extract flash streams, from sites such as youtube, from a packet capture.
These steps can also be used to extract many files, such as PDFs and MP3s.

Required tools: Perl, tcpdump, and tcpflow.

I’m quite interested in network forensics and one thing I’ve always wondered was if it is possible to extract flash, and RTMP streams from a packet capture; whilst I haven’t had much luck yet with RTMP streams (any one know how?), I have managed to sucessfully extract a flash video being streamed from YouTube, thanks to a handy perl script and blog post on rootshell.be

Although it is possible, and albeit much easier, to grab the file from the browser’s cache, I’ve been wondering how this could be done with only a packet dump at hand.

First fire up tcpdump, and then watch a flash stream of your choosing.

#: tcpdump -s 0 -i wlan0 -v -w capture.cap

You can use tcpdumps port and host option to limit recording the traffic to a specific host coming in on a particular port, if you wish.

Then use tcpflow to extract and piece together the differenent TCP flows:

  #: tcpflow -r capture.cap

Now, if you do a directory listing, you’ll see all the different tcp flows that the capture file contained, now saved as separate files, one of those will be the flash stream.
The easiest way to tell which, is by doing executing ls -lh to list all the files with a human readable file size; the flash video should be the largest one.

Next, save the following perl script, obtained from rootshell.be, as strip_headers.pl
This script removes the HTTP headers from the file, leaving just the data we want.

#!/usr/bin/perl
$start=0;
$data=””;
while(<STDIN>)
{
if ( $start eq 0 && $_ =~ /^\r\n/) { $start = 1; }
elsif ( $start eq 1 ) { $data = $data . $_; }
}
open(FH, “>file.flv”);
print FH $data;
close(FH);

Make it executable

    #: chmod +x strip_headers.pl

Now simply run the script, passing the relevent tcp flow (found above) to it; i.e:

    #: strip_headers.pl < xxxxx

The flash video should now have been extracted and saved as file.flv.

If any one is aware of a way on how to extract RTMP streams (not RTMPE) from a packet capture, then please let me know.
I’m aware that rtmpdump could be used to grab the stream as it is passing down the wire, but I’m looking for a way to extract the stream from an already captured network dump.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: