Decoding URL in Wireshark

Question

I am trying to connect directly to the video stream of an IP video server (the "Nuuo" IP Server).

Their instruction manual gives the URL of the 'home' - a page which installs a cute little activeX control that handles all interaction with the actual video server.

I need the URL of that internal server. [I don't need the added controls offered by the activeX control, and am in an environment where Internet Explorer is not available. I just want the stream]

I tried Wireshark, which captured all the packets, but does not show me the complete URL of the different pages. [ie: if the physical device is at 212.234.56.456, it shows the same URL whether I connect to the home page (212.234.56.456/home.html), to the video server (probably something like 212.234.56.456/video.amp), or to anything else within the device.]

Despite much head-scratching and searching their site and the manual, I cannot understand how to get the whole URL of the server.

Can someone please direct me to a tutorial or page of instructions - or just spell out how to do this?

Wireshark does not have to be the solution - I will happily use something else (tried Fiddler, but don't know to configure it - by default it catches none of this traffic)

Thanks

Edit: The protocol is TCP

Video port: 8000 [There is an option in the server to change the port. The default is 8000]

I am trying to connect to the video stream using something like VLC or RealPlayer [for the purpose of re-streaming] instead of the activeX control it comes with. I do NOT KNOW anything about TCP, other than that it shows up in the packet attached. The server is encoding to MPEG 4 [h.264], and should be streaming RTSP://

I have read of many many people doing this successfully with an Axis server (They connect to rtsp://[server-ip-address]:554/axis-media/media.amp with VLC), and with an Arecont Server (rtsp://[server-ip-address]/h264.sdp). Obviously, this page does not exist on the Nuuo server I am using, which is designed to compete with the Axis device.

I loaded the page, started Wireshark, then pressed the play button on the ActiveXControl (starting the video). Below is the first packet Wireshark caught [of many, it is the request for the video]:

No.     Time        Source                Destination           Protocol Info
 53 7.198090    192.168.1.4           212.143.234.227       TCP      4734 > irdmi [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 53 (62 bytes on wire, 62 bytes captured)
    Arrival Time: Jul  8, 2009 13:24:35.008644000
    [Time delta from previous captured frame: 0.048542000 seconds]
    [Time delta from previous displayed frame: 7.198090000 seconds]
    [Time since reference or first frame: 7.198090000 seconds]
    Frame Number: 53
    Frame Length: 62 bytes
    Capture Length: 62 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Intel_66:1e:41 (00:19:d1:66:1e:41), Dst: GigasetC_49:05:10 (00:21:04:49:05:10)
    Destination: GigasetC_49:05:10 (00:21:04:49:05:10)
        Address: GigasetC_49:05:10 (00:21:04:49:05:10)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Intel_66:1e:41 (00:19:d1:66:1e:41)
        Address: Intel_66:1e:41 (00:19:d1:66:1e:41)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 212.143.234.227 (212.143.234.227)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x816c (33132)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xf83b [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.1.4 (192.168.1.4)
    Destination: 212.143.234.227 (212.143.234.227)
Transmission Control Protocol, Src Port: 4734 (4734), Dst Port: irdmi (8000), Seq: 0, Len: 0
    Source port: 4734 (4734)
    Destination port: irdmi (8000)
    [Stream index: 3]
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgement: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port irdmi]
                [Message: Connection establish request (SYN): server port irdmi]
                [Severity level: Chat]
                [Group: Sequence]
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0x378c [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

Answer 1

Fiddler doesn't capture non-HTTP(S) traffic. Do you have any reason to believe that the ActiveX in question is using HTTP and not straight TCP/IP?

Answer 2

As far as I can see, this is SYN packet from initial TCP/IP handshake, and it doesn't contain URL yet. You have to capture a few more packets (or move down in wireshark if you are using gui).

Capturing longer snippets in reproducable pattern (power-on device, click few operations, power-off) is good suggestion if you intend to compare dumps.