VideoSnarf is a new security assessment tool that takes an offline pcap as input, and outputs any detected media streams (RTP sessions), including common audio codecs as well as H264 Video support.
To give security assessment professionals options to decode media traffic other than forcing them to use tools like videojak/ucsniff. We know that some people, for whatever reason, might not be using UCSniff to capture and decode VoIP/Video traffic. For example, some people might want to use Ettercap and their favorite Sniffer (tshark/Wireshark) to capture the traffic, or they might have a monitor SPAN Session and are running a dedicated sniffer and want to re-construct the traffic just using a pcap trace file.
VideoSnarf was inspired by the rtpbreak tool. To our knowledge, it is the first tool to detect RTP sessions that are encoded with the H.264 Video Codec, and output raw H264 files.
VideoSnarf also supports the following common audio codecs: G711ulaw, G711alaw, G722, G729, G723, and G726. These are the most common audio codecs found in enterprise networks where you are going to be doing security assessments. We don't spend too much time developing codec support for other types of environments.
There are three install options for getting VideoSnarf:
VideoSnarf is very simple to use. Just provide the captured pcap file as input and wait for the results.
The above command will create h264 files and other audio codec files using the extracted payload from the pcap file. In the source tarball, we have included several sample pcap files to play with in a directory called "pcap."
For playing the H264 files, use mplayer: mplayer file.h264 -fps values.
There is one small, known bug in VideoSnarf. If you capture traffic that has an 802.1q VLAN header encapsulated in the packet and you use the option to look for a regular expression in the packet, then VideoSnarf will not like that. You should only see 802.1q VLAN header encapsulated packets when you are running a monitor span session on a Cisco IOS Ethernet switch and you use the "encapsulation replicate" keyword in the Monitor session source command.