A special thanks goes out to all of the developers, contributors, and authors of Ettercap. Ettercap is simply an awesome security tool. We re-used the ARP Poisoning, dissector design, and re-direction capabilities of Ettercap within UCSniff.
VideoSnarf is a new security assessment tool that takes an offline pcap as input, and outputs any detected media streams (RTP sessions), including common audio codecs as well as H264 Video support.
Why did we write VideoSnarf? To give security assessment professionals options to decode media traffic other than forcing them to use UCSniff. We know that some people, for whatever reason, might not be using UCSniff to capture and decode VoIP/Video traffic. For example, some people might want to use Ettercap and their favorite Sniffer (tshark/Wireshark) to capture the traffic, or they might have a monitor SPAN Session and are running a dedicated sniffer and want to re-construct the traffic just using a pcap trace file.
VideoSnarf was inspired by the rtpbreak tool. To our knowledge, it is the first tool to detect RTP sessions that are encoded with the H.264 Video Codec, and output raw H264 files. VideoSnarf also supports the following common audio codecs: G711ulaw, G711alaw, G722, G729, G723, and G726. These are the most common audio codecs found in enterprise networks where you are going to be doing security assessments. We don't spend too much time developing codec support for other types of environments.
To install VideoSnarf, here are three options:
VideoSnarf usage is pretty simple right now. Once you have saved the RTP sessions into a pcap file format, execute as videosnarf -i filename.pcap. this will create h264 files and other audio codec files. In the source tarball, we have included several sample pcap files to play with in a directory called "pcap." For playing the H264 files, use mplayer: mplayer file.h264 -fps values.
There is one small, known bug in VideoSnarf. If you capture traffic that has an 802.1q VLAN header encapsulated in the packet and you use the option to look for a regular expression in the packet, then VideoSnarf will not like that. You should only see 802.1q VLAN header encapsulated packets when you are running a monitor span session on a Cisco IOS Ethernet switch and you use the "encapsulation replicate" keyword in the Monitor session source command.