This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture who is sending outgoing video stream

0

Hi, I'm new to wireshark, but I get the concept of what it does, I hope.... I am an IT consultant and have been hired by a company to see who is streaming a TV program from their network. they have been contacted by the TV station that an IP on their network has been doing this to a bit torrent. I have placed my switch with the port mirroring on the lan between the last switch and the router/firewall. I started capturing packets but quickly ran out of memory. I was hoping to only capture packets that are outbound and only video. I assume video packets can have many forms so that may not be a good filter but will leave it to you to educate me. Once I have the packets, I know wireshark well enough to find which IP they are coming from but it will be a very time consuming task, so if someone has a better way to do this, I am all ears. thanks in advance.

asked 23 May '13, 15:28

mikestefani's gravatar image

mikestefani
1111
accept rate: 0%


2 Answers:

0

As it is related to streaming media why can't you try to capture on port 554(rtsp control) to get the details of who is initiating the stream.Set the capture filter to port 554 and you will get the control flow if that is the protocol(RTSP) in picture.

Example Syntax for capture filter:

host a.b.c.d and port 554

Where a.b.c.d is your streaming server IP.Above capture filter tells to capture only traffic to or from your host with to or from port 554.

or simply do a capture of port 554 on your capture filter as specified below:

port 554

Regarding running out of memory

There is a work around feature called ring buffer .you can avoid running out of memory with ring buffer technique and check this post

http://ask.wireshark.org/questions/21323/monitor-247-but-retain-only-15-minutes

answered 23 May '13, 15:52

krishnayeddula's gravatar image

krishnayeddula
629354148
accept rate: 6%

edited 23 May '13, 16:59

0

I would first look in the router/firewall for session table entries that point to BitTorrent. Also have a look at the NAT table. Of course this all depends on what kind of router/firewall it is and whether you can look at those tables. It also depends on how large the network is and how big those tables are.

You could also just capture the SYN packets by using the capture filter "tcp[13]=2", this way you can capture much longer and you have a good overview of communications over your router/firewall.

answered 24 May '13, 00:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%