Decoding URL in Wireshark

Question

I am trying to connect directly to the video stream of an IP video server (the "Nuuo" IP Server).

Their instruction manual gives the URL of the 'home' - a page which installs a cute little activeX control that handles all interaction with the actual video server.

I need the URL of that internal server. [I don't need the added controls offered by the activeX control, and am in an environment where Internet Explorer is not available. I just want the stream]

I tried Wireshark, which captured all the packets, but does not show me the complete URL of the different pages. [ie: if the physical device is at 212.234.56.456, it shows the same URL whether I connect to the home page (212.234.56.456/home.html), to the video server (probably something like 212.234.56.456/video.amp), or to anything else within the device.]

Despite much head-scratching and searching their site and the manual, I cannot understand how to get the whole URL of the server.

Can someone please direct me to a tutorial or page of instructions - or just spell out how to do this?

Wireshark does not have to be the solution - I will happily use something else (tried Fiddler, but don't know to configure it - by default it catches none of this traffic)

Thanks

Edit: The protocol is TCP

Video port: 8000 [There is an option in the server to change the port. The default is 8000]

I am trying to connect to the video stream using something like VLC or RealPlayer [for the purpose of re-streaming] instead of the activeX control it comes with. I do NOT KNOW anything about TCP, other than that it shows up in the packet attached. The server is encoding to MPEG 4 [h.264], and should be streaming RTSP://

I have read of many many people doing this successfully with an Axis server (They connect to rtsp://[server-ip-address]:554/axis-media/media.amp with VLC), and with an Arecont Server (rtsp://[server-ip-address]/h264.sdp). Obviously, this page does not exist on the Nuuo server I am using, which is designed to compete with the Axis device.

I loaded the page, started Wireshark, then pressed the play button on the ActiveXControl (starting the video). Below is the first packet Wireshark caught [of many, it is the request for the video]:

No.     Time        Source                Destination           Protocol Info
 53 7.198090    192.168.1.4           212.143.234.227       TCP      4734 > irdmi [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 53 (62 bytes on wire, 62 bytes captured)
    Arrival Time: Jul  8, 2009 13:24:35.008644000
    [Time delta from previous captured frame: 0.048542000 seconds]
    [Time delta from previous displayed frame: 7.198090000 seconds]
    [Time since reference or first frame: 7.198090000 seconds]
    Frame Number: 53
    Frame Length: 62 bytes
    Capture Length: 62 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
    [Coloring Rule Name: TCP SYN/FIN]
    [Coloring Rule String: tcp.flags & 0x02 || tcp.flags.fin == 1]
Ethernet II, Src: Intel_66:1e:41 (00:19:d1:66:1e:41), Dst: GigasetC_49:05:10 (00:21:04:49:05:10)
    Destination: GigasetC_49:05:10 (00:21:04:49:05:10)
        Address: GigasetC_49:05:10 (00:21:04:49:05:10)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: Intel_66:1e:41 (00:19:d1:66:1e:41)
        Address: Intel_66:1e:41 (00:19:d1:66:1e:41)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.4 (192.168.1.4), Dst: 212.143.234.227 (212.143.234.227)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 48
    Identification: 0x816c (33132)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xf83b [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.1.4 (192.168.1.4)
    Destination: 212.143.234.227 (212.143.234.227)
Transmission Control Protocol, Src Port: 4734 (4734), Dst Port: irdmi (8000), Seq: 0, Len: 0
    Source port: 4734 (4734)
    Destination port: irdmi (8000)
    [Stream index: 3]
    Sequence number: 0    (relative sequence number)
    Header length: 28 bytes
    Flags: 0x02 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgement: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
            [Expert Info (Chat/Sequence): Connection establish request (SYN): server port irdmi]
                [Message: Connection establish request (SYN): server port irdmi]
                [Severity level: Chat]
                [Group: Sequence]
        .... ...0 = Fin: Not set
    Window size: 65535
    Checksum: 0x378c [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
    Options: (8 bytes)
        Maximum segment size: 1460 bytes
        NOP
        NOP
        SACK permitted

Answer 1

The real answer is in WireShark you need to go to the Analyze menu, select "Decode As". Then in the next dialog select Transport. Select the TCP port you are using and then select the way you want Wireshark to decode it (to the right). If you select http, it will show you URL's if in fact you are using http.

You can also copy the data and paste it into a hex decoder like this one http://home2.paulschou.net/tools/xlate/