Decoding URL in Wireshark

I am trying to connect directly to the video stream of an IP video server (the "Nuuo" IP Server).

Their instruction manual gives the URL of the 'home' - a page which installs a cute little activeX control that handles all interaction with the actual video server.

I need the URL of that internal server. [I don't need the added controls offered by the activeX control, and am in an environment where Internet Explorer is not available. I just want the stream]

I tried Wireshark, which captured all the packets, but does not show me the complete URL of the different pages. [ie: if the physical device is at 212.234.56.456, it shows the same URL whether I connect to the home page (212.234.56.456/home.html), to the video server (probably something like 212.234.56.456/video.amp), or to anything else within the device.]

Despite much head-scratching and searching their site and the manual, I cannot understand how to get the whole URL of the server.

Can someone please direct me to a tutorial or page of instructions - or just spell out how to do this?

Wireshark does not have to be the solution - I will happily use something else (tried Fiddler, but don't know to configure it - by default it catches none of this traffic)

Thanks

Edit: The protocol is TCP

Video port: 8000 [There is an option in the server to change the port. The default is 8000]

I am trying to connect to the video stream using something like VLC or RealPlayer [for the purpose of re-streaming] instead of the activeX control it comes with. I do NOT KNOW anything about TCP, other than that it shows up in the packet attached. The server is encoding to MPEG 4 [h.264], and should be streaming RTSP://

I have read of many many people doing this successfully with an Axis server (They connect to rtsp://[server-ip-address]:554/axis-media/media.amp with VLC), and with an Arecont Server (rtsp://[server-ip-address]/h264.sdp). Obviously, this page does not exist on the Nuuo server I am using, which is designed to compete with the Axis device.

I loaded the page, started Wireshark, then pressed the play button on the ActiveXControl (starting the video). Below is the first packet Wireshark caught [of many, it is the request for the video]:

No.     Time        Source                Destination           Protocol Info
 53 7.198090    192.168.1.4           212.143.234.227       TCP      4734 > irdmi [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 53 (62 bytes on wire, 62 bytes captured)
    Arrival Time: Jul  8, 2009 13:24:35.008644000
    [Time delta from previous captured frame: 0.048542000 seconds]
    [Time delta from previous displayed frame: 7.198090000 seconds]
    [Time since reference or first frame: 7.198090000 seconds]
    Frame Number: 53
    Frame Length: 62 bytes
    Capture Length: 62 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Intel_66:1e:41 (00:19:d1:66:1e:41), Dst: GigasetC_49:05:10 (00:21:04:49:05:10)
    Destination: GigasetC_49:05:10 (00:21:04:49:05:10)
        Address: GigasetC_49:05:10 (00:21:04:49:05:10)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Intel_66:1e:41 (00:19:d1:66:1e:41)
        Address: Intel_66:1e:41 (00:19:d1:66:1e:41)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 212.143.234.227 (212.143.234.227)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x816c (33132)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xf83b [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.1.4 (192.168.1.4)
    Destination: 212.143.234.227 (212.143.234.227)
Transmission Control Protocol, Src Port: 4734 (4734), Dst Port: irdmi (8000), Seq: 0, Len: 0
    Source port: 4734 (4734)
    Destination port: irdmi (8000)
    [Stream index: 3]
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgement: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port irdmi]
                [Message: Connection establish request (SYN): server port irdmi]
                [Severity level: Chat]
                [Group: Sequence]
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0x378c [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

As far as I can tell from the packet, the activeX control uses TCP. How does that help?

If it's using straight TCP/IP and not HTTP on top, then there's no "URL"-- only a host and port. You won't be able to see this traffic in a HTTP debugger, because it's not HTTP.

Thanks. I am not familiar with TCP at all, so please tell me if I understand this correctly: I should be able to connect with the video at rtsp://[camera-ip-address]:8000, where 8000 is the port of the video. [In the camera setting it allows me to change the video port, and defaults to 8000]. I have tried that address and was unable to connect - Can I safely assume that the error is elsewhere? BTW, my understanding of Wireshark is that it catches all traffic, not just http. Is there any way to verify that the address:port will serve video?

How did I "try" the address? I tried opening rtsp://[ip-address]:8000 with VideoLan and RealPlayer - either of wich should be able to decode the RTSP stream. >Did I create a TCP/IP socket? No, I am new to TCP, don't know how. >Was the connection refused? "No stream was found." > If not, what did you do next? Tried to catch all the data through Wireshark, to see if there was some page I should target. As in the Axis. > What technology/language am I using? I don't know! Looking at the packet, I would say TCP. However, the stream should be RTSP, as it is encoded to h.264 which is part of MPEG4.

You'll want to look at the RTSP protocol format and see where, if anywhere, the "URL" actually is sent, although it's not clear to me that it is. en.wikipedia.org/wiki/RTSP If WireShark doesn't have an RTSP analyzer, it's possible that Netmon might. www.fiddler2.com/redir/?id=netmon

Thanks. This looks to be rather over my head. Will check out Microsoft Network Monitor. I finally got through to the company this morning, and they begrudgingly gave me the link: [ip-address]:port/stream.3gpp. (No idea where that is in the packet, so go figure.) On another note: For the downvoter, whoever it may be, can I request a review? Any problems with incomplete questions have been addressed to the best of my ability.

Thank you very much. The company finally gave me the URL ([ip-address]:port/stream.3gpp), but it worked so poorly I just bought an Axis device instead. I have since deleted those packet files, but very much appreciate the advice and help. Thanks!