This procedure outlines a method to take a raw Wireshark capture (over the air, or over wire) and reconstruct a video file from the captured UDP packets. Note that this procedure will not work for HDCP 2.0/2.1 protected streams.
- Open the capture in Wireshark.
- If required, decrypt the WiFi traffic.
- Find the UDP port for the video file transfer. In the Filter toolbar, type udp and press enter. This will display only the UDP packets. In the Protocol or Information column, look for some indication for a video transport protocol, for example MPEG-TS. Click on one of the video packet and determine the UDP port. In the Filter toolbar, apply the display filter udp.port==xxxx, where xxxx is the UDP port number.
- From the Main menu, select: Analyze → Decode As... → Select the Transport tab → Ensure the Decode radio button is selected → In the left side of the window, ensure a bidirectional arrow exists between the UDP ports → In the right side of the window, choose RTP → Click OK
- From the Main menu, select: Telephony → RTP → Show All Streams
- Click on the desired stream (usually there should be only one) and click "Analyze" button
- In the newly opened window, click the "Save payload" button
- On the bottom of the window, ensure Format is set to raw and Channel is set to forward
- Save the video stream with an appropriate file extension. For an MPEG transport stream video, use the .ts extension (e.g., video.ts)
Once the video file is saved, the video file can be viewed using a media player that supports the audio/video compression method and file format.
answered 07 Jul '15, 14:28
accept rate: 14%