Wireshark For Video Surveillance Tutorial

By: Brian Karas, Published on Aug 01, 2016

Want to snoop on the data going between your NVR and your IP camera?  Wireshark is the tool most commonly used to analyze network traffic and see what is really happening on the wire. It is helpful both in troubleshooting and understanding what is happening with IP camera streams.

This report gives an introduction to Wireshark and how to do some basic analysis on captured data to find information useful for camera setup and debugging, including:

  • Analyzing transmissions from IP cameras
  • Finding Unknown static IP addresses of IP cameras
  • Finding the RTSP URL of an IP camera
  • Using the follow option to get more data on an IP camera

**** ** ***** ** the **** ***** ******* your *** *** **** IP ******?  *********** *** **** **** commonly used ** ******* ******* traffic *** *** **** is ****** ********* ** the ****. ** ** helpful **** ** *************** and ************* **** ** happening **** ** ****** streams.

**** ****** ***** ** introduction ** ********* *** how ** ** **** basic ******** ** ******** data ** **** *********** useful *** ****** ***** and *********, *********:

  • ********* ************* **** ** cameras
  • ******* ******* ****** ** addresses ** ** *******
  • ******* *** **** *** of ** ** ******
  • ***** *** ****** ****** to *** **** **** on ** ** ******

[***************]

Getting ******* **** *********

******** ************ *** ******* *** installation, ********* ******** ****** be ****.  ** *** are *** ******** **** network ******* ******* *** using ****** ***** *** will **** ****** **** to ******* ********* ** the **** ******* ** your ***. *** ************ should *** ******* * restart ** ********* *********, but *** ****** ** the ******* ****** ***-**** hours ** ** ****.

Wireshark *****

***** *** * *** of ********** ** *********, for ***** ****** ** concentrate ** ********* ******* and ***** ******* ** look ******* *** ******** data.  *** ********* ***** shows *** ** ***** a ****** *******:

Find ** ******* ****** ** ** * ******

** *** **** **** come ****** * ****** that *** * ****** IP ******* **** *** could *** ****** *** this ******** ***** *** one **** **.  ** is *********** ** ***** down *** ****** *** then ***** ** **** up ******* ***** *** start *** ****** *******.

** **** *** ** use *** "***" ****** and *** ** *** a *** ******* ****** to **** ******* ******** data.


Find *** **** *** ** * ******

** *** **** * recorder ********* ** * camera *** *** **** to **** *** **** URL ***** **** **** tutorial ***** *** *** to **** **** ******* in * ****** *******.  This **** *** "***** matches" ******.


Find *** *** **** ******* ** ** *********** ******

** ******* ***** **** than * ****** ** give ** *** ***** story, ********* *** **** you *** *** ******* related ** *** ***** packet **** **** * few ******.  **** ***** shows *** *** ** use *** "******" ******.


Other ****** *******

********* *** * **** powerful ********* *********, ** evidenced ** *** ******* ******* *************, ****** *** ******** of ***** ***** ***** be **** *** *************** IP ****** ** ****** control *******.

** *** **** *** IP ******* ** * camera *** **** ** see *** *** ******* going ** ** **** that ****** **** *** have ******** *** *** use *** ********* ******:

**.**** = ***.***.*.*

** *** ******* **** is *********** **** * specific ****** *** *** use *** "***" (******) filter:

**.*** == ***.***.**.**

********* *** *** *** a "***" (***********) ****** to *** *** *** traffic ***** **** ** a ******:

**.*** == ***.***.*.***

******* ***** *** ** used ** ******* *******, such ** ** **** UDP ******* **** * specific **:

**.**** = ***.***.*.** && ip.proto == ***

 

Comments (12)

Avatar

Jon Swatzell

IPVMU Certified | 08/01/16 03:27pm

Great post Brian!

Undisclosed Manufacturer #1

08/01/16 07:13pm

Brian

This great article only shows how much info is exposed on our network on regular bases. This info is greatly helpful to the integrator, and equally helpful for an intruder.

While a good integrator may protect the communication from the VMS to the cameras using https, the communication between the VMS and the client is completely exposed in the majority of cases. There are few exceptions to the rule - some VMS solutions that do provide encryption and that will not necessarily require setting of VPNs to protect the data

Mulli Diamant

Avatar

DILEEP LAL

IPVMU Certified | 08/02/16 10:09am

Brian, Excellent Post...!!

Undisclosed Manufacturer #2

08/03/16 01:30am

Great and informative article.

Some people think HTTPS might be part the end all for security, but for most it's only the initial communications and authentication, I think a lot of product could well be using Onvif, and I bet you would find the RTSP video stream is not afaik encrypted. So a simple man in the middle just sniffing the video packets could well be on the way to an episode of CSI!

Even companies using own private protocol, are most likely going to use unencrypted video streams. For speed and that, all so important wave their stupid hand in front of the camera and see their update display on browser being 1,000ms faster than company XYZ

The reason most likely is lazy programmers and unskilled non-security experts.

Any manufacturer out there even know this, do they even understand this. Do they care?

At some point end-end encryption will be the normal, and you best be able to deliver this ability or loose out, only takes one company to start this being standard.

Just take a look at iMessage and also now WhatApp this is how you do it properly.

Video content delivery has been around for ages; DRM protection is open source, maybe if Onvif committee needs to look at how quickly the world changes.

One thing I found that you should get an intelligent switch to using Wireshark, so you can setup the unit to allow monitoring on a particular port that is so you can grab all the packets of data, between a stand alone NVR and IPC devices. NVR PC based units naturally installing Wireshark on them is much easier, as mentioned in the article.

Undisclosed #3

In reply to Undisclosed Manufacturer #2 | 08/03/16 03:11am

5.1.1.4 RTP/RTSP/HTTP/TCP

The data stream shall be sent via HTTP to traverse a firewall. A device shall support media transfer using RTP/RTSP/HTTP/TCP. And if a device supports TLS1.0, the data stream shall be sent or received via HTTPS to traverse a firewall, and a device shall support media transfer using RTP/RTSP/HTTPS/TCP.

ONVIF Streaming Spec v210

Avatar

Brian Karas

IPVM | In reply to Undisclosed Manufacturer #2 | 08/03/16 12:12pm

One thing I found that you should get an intelligent switch to using Wireshark, so you can setup the unit to allow monitoring on a particular port that is so you can grab all the packets of data, between a stand alone NVR and IPC devices.

This is a good idea. I actually have an old 10/100 Netgear *hub* ( a real hub, not a switch) that I've found to be handy for get a data stream from a camera or access control board. A pre-configured smart switch with a mirror port enabled would do the same thing.

I think a lot of product could well be using Onvif, and I bet you would find the RTSP video stream is not afaik encrypted. So a simple man in the middle just sniffing the video packets could well be on the way to an episode of CSI!

Years ago, at another company, we made a device that was a combination network sniffer and packet decoder. It could interpret SQL and SMB traffic in real time to analyze what users were doing with data. During that time I found an opensource project that could reconstruct files by reading packets off the wire. So, if you transferred a file to or from an SMB server, and I could get access to your network traffic, I could get a copy of the files you accessed by reconstructing them on my snoop machine. The same concept could be applied to unencrypted video streams, an enterprising developer could write something that showed you a mirror of an RTSP stream.

With a passive network tap you could easily create an RTSP stream mirror without even need a switch or mirror port/etc. Couple the passive tap to a Raspberry Pi, and you could create a device that wirelessly streams you a copy of the camera images without any detectable effect on the network.

Undisclosed #3

In reply to Brian Karas | 08/03/16 04:51pm

This is a good idea. I actually have an old 10/100 Netgear *hub* ( a real hub, not a switch) that I've found to be handy for get a data stream from a camera or access control board. A pre-configured smart switch with a mirror port enabled would do the same thing.

A CSMA/CD 100Mbps hub? Lucky you!

Another way is to get in between the NVR and the IPC by routing thru your dual NIC PC.

Undisclosed Manufacturer #2

08/04/16 01:42am

I used a Netgear GS105E, not owning a time machine to go back and buy up all the hubs of yonder years! I be sure this is also now an old model in the world of IT, where one day means something obsolete or something even more useless.

How about an article with Wireshark and Wi-Fi exploits, see how vulnerable your home or business network is. All be it's a more complicated setup!

With Wi-Fi networks, we put our devices out there for everyone to sniff at.

Undisclosed #3

In reply to Undisclosed Manufacturer #2 | 08/04/16 06:55am

I be sure this is also now an old model in the world of IT, where one day means something obsolete or something even more useless.

I have a GS724TP from ages ago that's still as useful as the day I bought it.

You know its funny, we have had cameras with 10/100Mbps interfaces for close to a decade now, but since we are not close to exceeding that on a per port basis even now, we don't really need 1 GB switches, not per port anyway. Unlike your typical IT needs.

That's why we're in a time machine...

Avatar

Patrick Hart

IPVMU Certified | 09/05/16 05:15pm

An IPVM Wireshark certification class based on IP Cameras would be nice to have...

Undisclosed #3

In reply to Patrick Hart | 09/05/16 05:26pm

An IPVM Wireshark certification class based on IP Cameras would be nice to have...

And would be a mandatory prerequisite to gaining your IPVM Ethical Camera Hacker certificate.

John Honovich

IPVM | In reply to Patrick Hart | 09/05/16 08:39pm

An IPVM Wireshark certification class based on IP Cameras

FYI, we are adding in a 6th week for the IP networking class starting in January, that will include 2 classes on cybersecurity including more time on Wiresharking.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

HTTPS / SSL Video Surveillance Usage Statistics on Apr 01, 2019
HTTPS / SSL / TLS usage has become commonplace for websites to improve security and, in particular, to help mitigate attackers reading or modifying...
Subnetting for Video Surveillance on Apr 30, 2019
This guide explains when subnetting is used on security networks, and how it works. We explain how to add or remove IP addresses to your range,...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...

Most Recent Industry Reports

Motorola / Avigilon Drops ISC West on Feb 26, 2020
Motorola Solutions has pulled out of ISC West 2020 effective immediately, because of coronavirus concerns, IPVM has learned. This is done amidst...
Cancel or Not? Industry Split Over ISC West on Feb 26, 2020
The industry is split, polarized, over whether ISC West 2020 should run or be canceled. New IPVM survey results of 400+ respondents show heated...
Coronavirus Hits Sony, Bosch Says Switch on Feb 26, 2020
Sony's fall in video surveillance has been severe over the past decade. Now, they may be done. In this note, we examine Bosch's new...
Video Surveillance Cameras 101 on Feb 25, 2020
Cameras come in many shapes, sizes and specifications. This 101 examines the basics of cameras and features used in 2020. In this report, we...
Favorite Video Analytic Manufacturers 2020 on Feb 25, 2020
Video analytics is now as hot as ever, driven by the excitement of advancing deep learning offers. But what are actually integrator's...
Latest London Police Facial Recognition Suffers Serious Issues on Feb 24, 2020
On February 20, IPVM visited another live face rec deployment by London police, but this time the system was thwarted by technical problems and...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new IPVM test results show cause major problems for facial recognition...
Every VMS Will Become a VSaaS on Feb 21, 2020
VMS is ending. Soon every VMS will be a VSaaS. Competitive dynamics will be redrawn. What does this mean? VMS Historically...
Video Surveillance 101 Course - Last Chance on Feb 20, 2020
This is the last chance to join IPVM's first Video Surveillance 101 course, designed to help those new to the industry to quickly understand the...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same. Even insecure 125 kHz...

What IPVM Is

The world's leading authority on video surveillance, with 200,000+ visits monthly.

  • Articles on cameras, video analytics, VMS, and trends
  • Tests showing actual performance and problems
  • Courses in surveillance, access control, etc
  • Camera Calculator for designing systems

Dedicated To Independence

We're dedicated to staying independent and objective. We're the only industry source to refuse any and all advertisements, sponsorship, and consulting from manufacturers. Why?