This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Axis Camera - RTP/RTSP over HTTP

0

I would think this has been done/asked before, but google was not my friend this time.

I took a wireshark capture of streaming video from an Axis camera on a PC viewing that video stream. The settings were described by Axis in the plugin as "RTP over RTSP over HTTP".

I think this is RTP interleaved with RTSP and encapsulated in HTTP (the video itself is the H264 codec) Something similar is described here

How do I decode this in wireshark? Can it be done? Is there a way to extract the video to a file?

Thank you!

asked 17 Jul '15, 16:51

sharky123's gravatar image

sharky123
6112
accept rate: 0%

Can you post the capture file somewhere? I don't think Wireshark has a way to decode this right now, but a Lua plugin might be able to do it (by explicitly invoking the built-in RTSP and RTP dissectors); and if not then at least getting a capture file would help us figure out how hard it would be to make Wireshark be able to decode it. It might be fairly trivial.

(18 Jul '15, 05:42) Hadriel

I do have a capture file. How do I share it?

(18 Jul '15, 06:38) sharky123

You can upload it to cloudshark.org or pcapr.net or dropbox/google-drive/etc. Or even add it to https://wiki.wireshark.org/SampleCaptures

(18 Jul '15, 07:57) Hadriel
(18 Jul '15, 09:27) sharky123

Actually that just looks like RTP in RTSP's interleaved channel, over port 80. Port 80 is of course normally HTTP, but there doesn't appear to be actual HTTP protocol in it - just RTSP.

If you right-click packet #1, and select "Decode As..." from the menu which appears, and then select the protocol "RTSP", it correctly parses it as interleaved channel data. It would even have decoded it as RTP inside that channel data, except this capture is missing the initial RTSP messages on that TCP connection, which should have made it all work. (you'll note the capture starts in the middle of the TCP connection, as you don't see the SYN/SYN-ACK exchange)

Can you get a capture from the very beginning? (for example by rebooting the Axis camera?)

(18 Jul '15, 11:35) Hadriel

I suppose I could get a capture from the beginning. But these cameras are specifically in place to be constantly streaming. Ideally I'm looking to jump in the conversation, verify they are functioning, then get out. Restarting the cameras is not ideal.

(22 Jul '15, 09:15) sharky123

I just meant to make sure Wireshark would decode it right if it had the whole thing.

(22 Jul '15, 14:13) Hadriel

I made a small code change to enable dissecting it without the initial RTSP messages, which seems to decode your file fine now - and if you wait a few hours there should be a downloadable version on the automated downloads page to try it out. But even though I can dissect it as RTP, and can extract the RTP payload, that doesn't mean the video content will end up in a usable form to you. I don't even know what kind of video it is inside the RTP, since the initial RTSP messages would have indicated that but they're missing - and even if I knew I've never tried extracting RTP video. Googling might be a better resource for that.

(22 Jul '15, 14:59) Hadriel

I should have mentioned you can track the change on Wireshark's gerrit site.

(22 Jul '15, 15:01) Hadriel
showing 5 of 9 show 4 more comments

One Answer:

0

You can download the latest build of Wireshark from the automated downloads section - it must be version 1.99.8-495 or higher to have the relevant change.

Once that new Wireshark is installed, open your capture file in it, right click on one of the "HTTP" packets, select "Decode As..." and select "RTSP" from the drop-down list, and click OK or Apply. That will make them be decoded as RTSP instead of HTTP - Wireshark assumes they're HTTP because they're on TCP port 80. So you should now see all the packets decoded as RTSP, but not as RTP inside yet. Then go to the menu "Analyze" and select "Enabled Protocols", and in the dialog box that shows up, there's a tab called "Heuristic Protocols" or some such. (This is a newly added tab in Wireshark 1.99.8, and will probably disappear soon and just become one big tab with consolidated info.) But anyway, in this Heuristics tab, check-mark the "RTP for RTSP" to enable that protocol decoder, and again click OK or Apply. You should now see all of the RTP in RTSP packets decoded properly.

If you close down the file or Wireshark and open it again, the setting for the "RTP in RTSP" heuristic should be saved and not require you to enable it again. But Wireshark will again try to decode the TCP packets as HTTP by default - you can make it not do that by changing the preferences, by going to the "Edit->Preferences->Protocols" for "RTSP" and adding 80 to its TCP port list; and you might need to go into the one for "HTTP" and remove 80 from its TCP port list.

answered 22 Jul '15, 17:11

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Oh, and I should mention when you install the new Wireshark you'll have to use the GTK version, which means starting Wireshark from the command line with "wireshark-gtk". The Qt-based Wireshark, which is the default one in 1.99.8, doesn't have the "Analyze->Enabled Protocols" feature yet. (it looks like it will tomorrow though)

(22 Jul '15, 18:05) Hadriel