1 | initial version |
Hi,
First keep in mind that there are a lot of different video formats out there and that Wireshark may or may not be able to dissect the one you are interested in. Make sure you are running the latest version of Wireshark to maximize your chances.
For the sake or argument, let's assume (I know) that the format is known to Wireshark.
Most streaming video will usually come from only one server at a time.
If you capture all traffic on your computer with Wireshark while streaming the video (and doing nothing else) you should be able to find the source server easily.
After the capture is complete, go to "Statistics" and then "Conversations.”
In the IPv4 (or IPv6 if you swing that way) you should be able to sort the lines by the "Packets" column.
The first line at the top should show the source IP you are looking for after sorting. (The triangle is pointing down so sorting from high to low.)
"Address A" should be the source you are looking for and "Address B" should be your own address or vice versa.
You can right click on that first line and select "Apply as Filter" then "Selected" and then "A <-> B".
This should filter out everything but the streaming video unless there was other large transfer of data at the same time you were capturing.
You should start looking at the packets to figure out the encapsulation used for the streaming video.
Assuming (I know) you are on an Ethernet network you could see the Ethernet frame header, the IP packet header and a TCP or UDP segment header before the actual video frames.
You may want to look at editcap -C to chop those headers off the packets if you just want the video frames. (Hopefully Wireshark can analyze them).
Hope that helps.
Cheers,
JF