Wireshark For Video Surveillance Tutorial

By: Brian Karas, Published on Aug 01, 2016

Want to snoop on the data going between your NVR and your IP camera?  Wireshark is the tool most commonly used to analyze network traffic and see what is really happening on the wire. It is helpful both in troubleshooting and understanding what is happening with IP camera streams.

This report gives an introduction to Wireshark and how to do some basic analysis on captured data to find information useful for camera setup and debugging, including:

  • Analyzing transmissions from IP cameras
  • Finding Unknown static IP addresses of IP cameras
  • Finding the RTSP URL of an IP camera
  • Using the follow option to get more data on an IP camera

Getting ******* **** *********

******** ************ *** ******* *** installation, ********* ******** ****** be ****.  ** *** are *** ******** **** network ******* ******* *** using ****** ***** *** will **** ****** **** to ******* ********* ** the **** ******* ** your ***. *** ************ should *** ******* * restart ** ********* *********, but *** ****** ** the ******* ****** ***-**** hours ** ** ****.

Wireshark *****

***** *** * *** of ********** ** *********, for ***** ****** ** concentrate ** ********* ******* and ***** ******* ** look ******* *** ******** data.  *** ********* ***** shows *** ** ***** a ****** *******:

Find ** ******* ****** ** ** * ******

** *** **** **** come ****** * ****** that *** * ****** IP ******* **** *** could *** ****** *** this ******** ***** *** one **** **.  ** is *********** ** ***** down *** ****** *** then ***** ** **** up ******* ***** *** start *** ****** *******.

** **** *** ** use *** "***" ****** and *** ** *** a *** ******* ****** to **** ******* ******** data.


Find *** **** *** ** * ******

** *** **** * recorder ********* ** * camera *** *** **** to **** *** **** URL ***** **** **** tutorial ***** *** *** to **** **** ******* in * ****** *******.  This **** *** "***** matches" ******.


Find *** *** **** ******* ** ** *********** ******

** ******* ***** **** than * ****** ** give ** *** ***** story, ********* *** **** you *** *** ******* related ** *** ***** packet **** **** * few ******.  **** ***** shows *** *** ** use *** "******" ******.


Other ****** *******

********* *** * **** powerful ********* *********, ** evidenced ** *** ******* ******* *************, ****** *** ******** of ***** ***** ***** be **** *** *************** IP ****** ** ****** control *******.

** *** **** *** IP ******* ** * camera *** **** ** see *** *** ******* going ** ** **** that ****** **** *** have ******** *** *** use *** ********* ******:

**.**** = ***.***.*.*

** *** ******* **** is *********** **** * specific ****** *** *** use *** "***" (******) filter:

**.*** == ***.***.**.**

********* *** *** *** a "***" (***********) ****** to *** *** *** traffic ***** **** ** a ******:

**.*** == ***.***.*.***

******* ***** *** ** used ** ******* *******, such ** ** **** UDP ******* **** * specific **:

**.**** = ***.***.*.** && ip.proto == ***

 

Comments (12)

Great post Brian!

Brian

This great article only shows how much info is exposed on our network on regular bases. This info is greatly helpful to the integrator, and equally helpful for an intruder.

While a good integrator may protect the communication from the VMS to the cameras using https, the communication between the VMS and the client is completely exposed in the majority of cases. There are few exceptions to the rule - some VMS solutions that do provide encryption and that will not necessarily require setting of VPNs to protect the data

Mulli Diamant

Brian, Excellent Post...!!

Great and informative article.

Some people think HTTPS might be part the end all for security, but for most it's only the initial communications and authentication, I think a lot of product could well be using Onvif, and I bet you would find the RTSP video stream is not afaik encrypted. So a simple man in the middle just sniffing the video packets could well be on the way to an episode of CSI!

Even companies using own private protocol, are most likely going to use unencrypted video streams. For speed and that, all so important wave their stupid hand in front of the camera and see their update display on browser being 1,000ms faster than company XYZ

The reason most likely is lazy programmers and unskilled non-security experts.

Any manufacturer out there even know this, do they even understand this. Do they care?

At some point end-end encryption will be the normal, and you best be able to deliver this ability or loose out, only takes one company to start this being standard.

Just take a look at iMessage and also now WhatApp this is how you do it properly.

Video content delivery has been around for ages; DRM protection is open source, maybe if Onvif committee needs to look at how quickly the world changes.

One thing I found that you should get an intelligent switch to using Wireshark, so you can setup the unit to allow monitoring on a particular port that is so you can grab all the packets of data, between a stand alone NVR and IPC devices. NVR PC based units naturally installing Wireshark on them is much easier, as mentioned in the article.

5.1.1.4 RTP/RTSP/HTTP/TCP

The data stream shall be sent via HTTP to traverse a firewall. A device shall support media transfer using RTP/RTSP/HTTP/TCP. And if a device supports TLS1.0, the data stream shall be sent or received via HTTPS to traverse a firewall, and a device shall support media transfer using RTP/RTSP/HTTPS/TCP.

ONVIF Streaming Spec v210

One thing I found that you should get an intelligent switch to using Wireshark, so you can setup the unit to allow monitoring on a particular port that is so you can grab all the packets of data, between a stand alone NVR and IPC devices.

This is a good idea. I actually have an old 10/100 Netgear *hub* ( a real hub, not a switch) that I've found to be handy for get a data stream from a camera or access control board. A pre-configured smart switch with a mirror port enabled would do the same thing.

I think a lot of product could well be using Onvif, and I bet you would find the RTSP video stream is not afaik encrypted. So a simple man in the middle just sniffing the video packets could well be on the way to an episode of CSI!

Years ago, at another company, we made a device that was a combination network sniffer and packet decoder. It could interpret SQL and SMB traffic in real time to analyze what users were doing with data. During that time I found an opensource project that could reconstruct files by reading packets off the wire. So, if you transferred a file to or from an SMB server, and I could get access to your network traffic, I could get a copy of the files you accessed by reconstructing them on my snoop machine. The same concept could be applied to unencrypted video streams, an enterprising developer could write something that showed you a mirror of an RTSP stream.

With a passive network tap you could easily create an RTSP stream mirror without even need a switch or mirror port/etc. Couple the passive tap to a Raspberry Pi, and you could create a device that wirelessly streams you a copy of the camera images without any detectable effect on the network.

This is a good idea. I actually have an old 10/100 Netgear *hub* ( a real hub, not a switch) that I've found to be handy for get a data stream from a camera or access control board. A pre-configured smart switch with a mirror port enabled would do the same thing.

A CSMA/CD 100Mbps hub? Lucky you!

Another way is to get in between the NVR and the IPC by routing thru your dual NIC PC.

I used a Netgear GS105E, not owning a time machine to go back and buy up all the hubs of yonder years! I be sure this is also now an old model in the world of IT, where one day means something obsolete or something even more useless.

How about an article with Wireshark and Wi-Fi exploits, see how vulnerable your home or business network is. All be it's a more complicated setup!

With Wi-Fi networks, we put our devices out there for everyone to sniff at.

I be sure this is also now an old model in the world of IT, where one day means something obsolete or something even more useless.

I have a GS724TP from ages ago that's still as useful as the day I bought it.

You know its funny, we have had cameras with 10/100Mbps interfaces for close to a decade now, but since we are not close to exceeding that on a per port basis even now, we don't really need 1 GB switches, not per port anyway. Unlike your typical IT needs.

That's why we're in a time machine...

An IPVM Wireshark certification class based on IP Cameras would be nice to have...

An IPVM Wireshark certification class based on IP Cameras would be nice to have...

And would be a mandatory prerequisite to gaining your IPVM Ethical Camera Hacker certificate.

An IPVM Wireshark certification class based on IP Cameras

FYI, we are adding in a 6th week for the IP networking class starting in January, that will include 2 classes on cybersecurity including more time on Wiresharking.

Read this IPVM report for free.

This article is part of IPVM's 6,536 reports, 881 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now

Related Reports

Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
Video Surveillance Business 101 on Mar 30, 2020
This report explains the fundamental elements of the video surveillance...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
Video Surveillance Trends 101 on Apr 01, 2020
This report examines major industry factors and how they could impact video...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
YOLOv5 Released Amidst Controversy on Jul 27, 2020
YOLO has gained significant attention within video surveillance for its...
Video Surveillance 101 Book Released on Jul 07, 2020
IPVM's unique introduction to video surveillance series is now available as a...
Vivotek Presents AI Analytics and LPR on May 19, 2020
Vivotek presented its AI Analytics and LPR at the April 2020 IPVM New...
AndroVideo Presents Edge AI Face Recognition Cameras on Jun 26, 2020
AndroVideo presented its AI at the edge face recognition cameras at the May...
NetApp Presents Hybrid Cloud Video Archive on May 11, 2020
NetApp presented its hybrid S3 cloud video archive at the April 2020 IPVM New...

Recent Reports

Hanwha AI Object Detection Tested on Sep 28, 2020
Hanwha has added detection and classification of people, cars, clothing...
Favorite Access Control Manufacturers 2020 on Sep 28, 2020
200+ Integrators told IPVM "What is your favorite access control management...
New Products Show Fall 2020 Starts Tomorrow! on Sep 27, 2020
Tomorrow, IPVM's sixth online show will feature New Products from over 25...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
The Future of Metalens For Video Surveillance Cameras - MIT / UMass / Immervision on Sep 25, 2020
Panoramic cameras using 'fisheye' lens have become commonplace in video...
Hikvision Sues Over Brazilian Airport Loss on Sep 24, 2020
Hikvision was excluded from a Brazilian airport project because it is owned...
China General Chamber of Commerce Calls Out US Politics on Sep 24, 2020
While US-China relations are at an all-time low, optimism about relations...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
IP Networking Course Fall 2020 - Last Chance - Register Now on Sep 23, 2020
Today is the last chance to register for the only IP networking course...
Drain Wire For Access Control Reader Tutorial on Sep 23, 2020
An easy-to-miss cabling specification plays a key role in access control, yet...
Norway Council of Ethics Finds Hikvision Human Rights Abuses "Ongoing" on Sep 23, 2020
Hikvision's involvement in "serious human rights abuse" in Xinjiang is...
IPVM Camera Calculator User Manual / Guide on Sep 23, 2020
Learn how to use the IPVM Camera Calculator (updated for Version 3.1). The...
Installation Course Fall 2020 - Save $50 - Last Chance on Sep 22, 2020
This is a unique installation course in a market where little practical...
SimpliSafe Business Security Launched Examined on Sep 22, 2020
SimpliSafe has launched "SimpliSafe Business Security" that the company...
FLIR CEO: Many New Fever Entrants "Making Claims That The Science Just Won't Support" on Sep 22, 2020
FLIR's CEO joins a growing number calling out risks with fever / screening...