Ask Your Question

how to extract information of each video frames in a video streaming with Wireshark?

asked 2019-01-28 20:52:48 +0000

Bonnie gravatar image

updated 2019-01-28 23:26:34 +0000

Hi everyone,

I need to capture packets of a video stream and analyze the information of the video between different packets. In the other way, I want to find a way to extract only the information of each video packet and analyze how much these information are similar to each other and find about their correlation among different frames. I tried to capture a video with Wireshark, but I have some problem that I need help.

First, I don't know which filter I should use that I get only video packets among all other packets secondly, after I remove the information of the header, I don't know which part of the information in the payload is the original video information and can describe the video's frame. I will appreciate it if you can help me with this purpose

edit retag flag offensive close merge delete



alike question of my own

WiFi camera > Wireshark tcp dissect, data assembly > video player

darius gravatar imagedarius ( 2019-02-07 00:20:47 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2019-01-29 02:37:36 +0000


First keep in mind that there are a lot of different video formats out there and that Wireshark may or may not be able to dissect the one you are interested in. Make sure you are running the latest version of Wireshark to maximize your chances.

For the sake or argument, let's assume (I know) that the format is known to Wireshark.

Most streaming video will usually come from only one server at a time.

If you capture all traffic on your computer with Wireshark while streaming the video (and doing nothing else) you should be able to find the source server easily.

After the capture is complete, go to "Statistics" and then "Conversations.”

In the IPv4 (or IPv6 if you swing that way) you should be able to sort the lines by the "Packets" column.

The first line at the top should show the source IP you are looking for after sorting. (The triangle is pointing down so sorting from high to low.)

"Address A" should be the source you are looking for and "Address B" should be your own address or vice versa.

You can right click on that first line and select "Apply as Filter" then "Selected" and then "A <-> B".

This should filter out everything but the streaming video unless there was other large transfer of data at the same time you were capturing.

You should start looking at the packets to figure out the encapsulation used for the streaming video.

Assuming (I know) you are on an Ethernet network you could see the Ethernet frame header, the IP packet header and a TCP or UDP segment header before the actual video frames.

You may want to look at editcap -C to chop those headers off the packets if you just want the video frames. (Hopefully Wireshark can analyze them).

Hope that helps.



edit flag offensive delete link more


Thank you so much for your detailed response. It was very helpful to me since I did not have a clue. According to your explanation, I've captured some packets from a video and I have the packets. Now I wanna know, how should I know how many bytes I should remove with editcap -C to chop the headers off since I need to write how many bytes I wanna chop with this command? If I remove the header, all the resting part is the original information?

Bonnie gravatar imageBonnie ( 2019-01-29 20:35:27 +0000 )edit

Hi Bonnie,

It is hard to tell without having the actual PCAP in front of me.

The remaining parts may be the original information.

Keep in mind that even if you strip the headers, you are still seeing the streaming video in packet form.

This format may not allow you to save the resulting file (after editcap) and play it.

It really depends on the video format. (I work with "MPEG TS" and this format would allow it.)

There is also the possibility that the data is encrypted and that only the software playing the video is able to decrypt it while it's playing it. The captured packets won't be decrypted.

Now to answer your question about where to chop:

Assuming pretty standard encapsulation, you should see something like this in the Packet Details pane for any of the captured packets.

Internet Protocol...
Transmission Control Protocol ...
Spooky gravatar imageSpooky ( 2019-01-30 00:52:06 +0000 )edit

Thank you Dear JF. I am trying to get what I want and your explanation were so helpful to me

Bonnie gravatar imageBonnie ( 2019-01-31 22:46:39 +0000 )edit


how to contact you about your how to extract information of each video frames in a video streaming with Wireshark?


darius gravatar imagedarius ( 2019-02-07 23:01:17 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-01-28 20:52:48 +0000

Seen: 9,637 times

Last updated: Jan 29 '19