A few days ago i stumbled upon the idea to recreate a video from traffic captured in PCAP file. It may be a common knowledge that this is possible, but it felt like the coolest thing i’ve done in a while. If you’re interested on how it was done continue reading.

Capturing traffic

For capturing traffic i used a wireshark - a free and open source tool for capturing and analyzing network traffic. I decided to capture live tv that i can stream via IPTV.

I fired up a tv stream and started capturing the traffic. I’ll note that prior to that i already knew source IP of my live stream so i applied ip.src == xx.xx.xx.xx as a display filter in wireshark before starting packet capture - this helps me get of unwanted network noise.

In wireshark i checked Statistics → Conversations → TCP and noticed that the live stream starts on a new TCP connection every ~ 10 seconds. This means i will have to extract data from payloads on each TCP stream. Luckly there’s an amazing tool for that called tcpflow.

Playing video back

After i’m done capturing i save my pcap and close the wireshark. After navigating to a directory where my PCAP is saved i run tcpflow -r {savedfile}.pcap -o tcp

This command creates a new file for each tcp stream in PCAP file and writes all of it’s data. I added -o tcp so that all of the files will be created in ./tcp directory - this is not essential, i just did it to avoid clutter in my current working dir.

Next if i cd to ./tcp and run mpv ./* a video starts playing. It’s a playback of a stream which packets were captured earlier. It just so happens to be a Formula1 podium ceremony with Michael Schumacher taking a pole on 2000 Australian grand prix.


This all feels so amazing for some reason, and i know that you can do similar stuff with real time streaming protocols like RTSP. Footage of security cameras, or even someones video call can be captured in a similar way if the traffic is unencrypted - another reason to take encryption and security of your application seriously.