Capture RTSP/ONVIF with tcpdump


Need help figuring out what I'm doing wrong.

I have a Tapo (TP-Link) wifi home camera. I'm trying to capture/analyze the network traffic it generates (e.g. handshakes it does with a proprietary Tapo app as well as live video stream). For that I'm using tcpdump to capture the traffic at the router level (as described here:

Both the mobile device with the app and the camera are connected to the same WIFI.

Unfortunately, when I feed the tcpdump's output to Wireshark, I see no any activity on the camera side - i.e. the fixed IP address that the camera has doesn't show up as neither source nor destination for the entire capture period. Even though during the capture I have the app open and it shows live stream from the camera.

The device that the app is installed on, though, does show some activity - a couple of entries show in the captured log once I open the app - a broadcast to and also one mDNS query.

It's like the traffic is not going through the router (and so it doesn't see it), but flows directly b/w devices (my mobile phone with the app and the camera) over the WIFI..
What am I missing in my setup (or maybe my understanding of how this app <-> wifi camera should happen) ?

I forgot to mention one part of the puzzle: the tcpdump's output was pretty much empty even when I would disconnect my mobile device from wi-fi and view the camera stream via the app.

In that case case it was super odd as when the app is not on the local network, the only way for the camera to deliver its video stream is via the tp-link's cloud. And for that traffic must leave the lan (and go through the router, obviously).

The culprit in this case was the Software flow offloading option of the firewall, which was on. After I turned it off, tcpdump was able to capture the video stream.

That's right... possibly a bit confusing because I'm guessing you have an all-in-one wifi router.

It comes down to Layer 2 (switched) vs Layer 3 (routed) traffic. All traffic that is on the same network is switched (L2), whereas traffic that needs to go between multiple networks is routed (L3). Your camera and phone -- which are operating at L2 with each other -- are not going to cause any traffic to traverse between different networks, and therefore it will not pass through firewall and routing engine which is where your wireshark captures are listening.

1 Like

My setup is 4 separate devices: ISP modem, openWRT router, switch, APs :slight_smile:

Right.. it's a bit embarrassing but I have to admit, I didn't think of the AP as it effectively being a switch in this case..) Thanks for pointing that out!

So what I'm thinking to do is to try installing tcpdump on the AP.. assuming it can capture traffic b/w devices connected to it.

I shouldn't have assumed... lol

Yes, this can work... or, if you have a managed switch, you can setup port mirroring (but the traffic must be flowing through the switch, of course -- assuming the camera is wireless: camera > AP 1 > switch > AP 2 > phone). If the camera is wired to a managed switch, port mirroring on that switch is the easiest/fastest way to achieve the goal.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.