In this article, I document the steps I used to capture a live H.264 video conferencing call and then replay it for viewing. To do this I built an Ubuntu Virtual Machine, and utilised:

• Wireshark - to perform the packet capture
• Videosnarf - to decode the RTP streams from the packet capture
• Mplayer - to replay the captured video

Videosnarf can be found here, http://ucsniff.sourceforge.net/videosnarf.html.

To build the Ubuntu Virtual Machine do the following:

• Download the 32-bit version of Ubuntu Desktop from http://www.ubuntu.com/download/desktop. I’m using release 13.10.
• For the purposes of this post, I simply followed the default options of the Ubuntu install process
• After login at the first boot after the install, the VMWare tools from Virtual Machine > Install VMWare tools (noting I am running this on a MAC so the location may vary). This will attach the disk image to the Ubuntu Machine. Then use the following commands (path may vary)

tar -zxvf /media/jason/VMWare Tools/VMwareTools-9.6.1-1378637.tar.gz -C ~/Desktop/
sudo ~/Desktop/vmware-tools-distrib/vmware-install.pl -d
sudo -r -t now

Install all available updates:

sudo apt-get update
sudo apt-get upgrade

Install the following

sudo apt-get install libnet1 libnet1-dev libpcap0.8-dev wireshark mplayer

Configure the system so non-root users can run wireshark

sudo dpkg-reconfigure wireshark-common
sudo usermod -a -G wireshark YOUR_USERNAME

Log out and then back in Download and install the 32-bit version of videosnarf which is available here: http://sourceforge.net/projects/ucsniff/files/videosnarf/

sudo dpkg -i ~/Downloads/videosnarf_0.63-1_i386.deb

At this point the VM is now ready to capture and decode the pcap files RTP streams into a watchable output:

• Open Wireshark
• Select the interface most likely eth0 (make sure your VM is bridged to the LAN connection on the host machine. This physical port should be receiving the traffic being sent to and from the target Videoconferencing device. In my case I have configured a SPAN port to mirror the traffic on a Cisco C40 endpoint to the port of my physical host machines interface)
• Begin a call, and after you are satisfied end the call and stop Wireshark
• Save the Wireshark capture
• From a terminal run the command videosnarf -i YOUR_CAPTURE_NAME. This will create a few output files, including audio, noting videosnarf does not support AAC, so for testing purposes, I’ve disabled it by using the capset filter on the C40 endpoint

• Using the filesize as a guide we can see that H264-media-3.264 and H264-media-6.264 contain some output. We also have some audio output files G722-media-1.wav and G722-media-2.wav
• To play the video file use the command mplayer H264-media-3.264 -fps 30, where the -fps tells mplayer what framerate to play the video at
• Similarly to play the audio file use the command mplayer G722-media-1.wav

As I noted in the above videosnarf will not work with AAC audio so on the Cisco C40 endpoint I disabled it for the trace, to do this from a Cisco C series endpoint do the following:

• Log into the endpoint web interface (this can be done from command line but for this article, I will detail the graphical process)
• Go to Configuration > System Configuration
• Click the Experimental menu option
• In the Capset Filter box enter AAC-LD; then click save
• To undo this simply delete the content from the Capset Filter box and press save

This also will not work if the call is encrypted. For my purposes I disabled encryption on the C40 endpoint, to do this. For H.323:

• Log into the endpoint web interface (this can be done from command line but today I will detail the graphical process)
• Go to Configuration > System Configuration
• Click the Conference menu option
• Set the Encryption Mode to Off and then click save

For SIP:

• Log into the endpoint web interface (this can be done from command line but today I will detail the graphical process)
• Go to Configuration > System Configuration
• Click the SIP menu option
• Set the default transport to either TCP or UDP

Wireshark itself can also decode and play out the audio streams, however only if using the G711 u-law or a-law codecs. There is a guide here for doing this http://wiki.wireshark.org/VoIP_calls. Using the prior mentioned process you can use a Capset Filter similar to the following to get the C series endpoint to use the G711 codec “AAC-LD;G.722;G.711a;G.729AB;G.729;G.729A;G.722.1;”