Introduction

Many flash videos use the rtmp (or rtmpt) protocol to transfer the video from the server to the flash player.

Several variants exists:

The procedure to dump the stream involves 2 steps:
  1. Find out the rtmp(t) URL and parameters
  2. Use rtmpdump to dump the stream to a file
Rtmpdump may be downloaded from http://rtmpdump.mplayerhq.hu/

Finding out the parameters

The first step should be to find out the IP address of the stream to be dumped. If this cannot be found out easily, configure a squid proxy to handle all "normal" web traffic in your firefox, and watch for any remaining traffic on port 80.

The example below assumes that we are watching for traffic towards host 81.92.237.89:

tcpdump -s 0 -w file.tcpdump -ni eth0 host 81.92.237.89

Or
tcpdump -s 0 -w file.tcpdump -ni eth0 port 80 or port 1935 

Now, in your Firefox, start playing the video.

Then watch your captured file, and search for swfUrl (or search for a shorter substring, in case it is broken over a line):

tcpdump -X -s 0 -n -r file.tcpdump  | less -s +/swfUr 

You will get a result such as the following:
...
        0x0090:  6374 003f f000 0000 0000 0003 0003 6170  ct.?..........ap 
        0x00a0:  7002 000b 7274 6c2d 7265 706c 6179 2f00  p...rtl-replay/.
        0x00b0:  0866 6c61 7368 5665 7202 000d 4c4e 5820  .flashVer...LNX.
        0x00c0:  3130 2c30 2c32 302c 3700 0673 7766 5572  10,0,20,7..swfUr
        0x00d0:  6c02 003c 6874 7470 3a2f 2f69 6d61 6765  l..<http://image
        0x00e0:  732e 6e65 776d 6564 6961 2e6c 752f 636f  s.newmedia.lu/co
        0x00f0:  6d6d 6f6e 2f6a 732f 6d65 6469 6170 6c61  mmon/js/mediapla
        0x0100:  7965 7235 362f 706c c361 7965 722e 7377  yer56/pl.ayer.sw
        0x0110:  6600 0574 6355 726c 0200 2472 746d 7074  f..tcUrl..$rtmpt
        0x0120:  3a2f 2f66 6d73 322e 6e65 776d 6564 6961  ://fms2.newmedia
        0x0130:  2e6c 752f 7274 6c2d 7265 706c 6179 2f00  .lu/rtl-replay/.
        0x0140:  0466 7061 6401 0000 0c63 6170 6162 696c  .fpad....capabil

Note all parameters down, they might be needed for the next step:

Then search for the URL of the stream:
tcpdump -X -s 0 -n -r file.tcpdump  | less -s +/play 

... and you will see (maybe after pressing 'n' a couple of times):
        0x0100:  0200 0470 6c61 7900 0000 0000 0000 0000  ...play......... 
        0x0110:  0502 0026 6d70 343a 2f72 6570 6c61 792f  ...&mp4:/replay/
        0x0120:  3230 3131 2f31 302f 3239 2f32 3031 3837  2011/10/29/20187
        0x0130:  3932 5f73 7464 2e6d 7034                 92_std.mp4

The actual dumping of the stream

First try the following command (first just using the app and play parameters):
rtmpdump -r rtmpt://81.92.237.89/rtl-replay//mp4:/replay/2011/10/29/2018792_std.mp4 -o journal.mp4 

(In this example app is marked blue, and play URL red). If that doesn't work, you may need to take into account the other parameters as well: flashVer, swfUrl, tcUrl:

rtmpdump -r rtmpt://81.92.237.89/ -y mp4:/replay/2011/10/29/2018792_std.mp4 -a rtl-replay/ -f LNX 10,0,20,7 -swfUrl http://images.newmedia.lu/common/js/mediaplayer56/pl.ayer.swf -t rtmpt://fms2.newmedia.lu/rtl-replay/ -p 'http://tele.rtl.lu/journal/emissioun/show/?v=49823' -o journal.mp4 

Alternative way of constructing the rtmp URL

Instead of using tcpdump, you may also perform view source on the URL containing the video:

<div  class="mediaplayer"><h5>Journal (30.10.2011)</h5>
	<div id="object1749273578"></div>
	<script language="Javascript">
		play_flv("object1749273578", "http://tele.rtl.lu/waatleeft/replay/playlist/?vid=49881", "512", "313", false, false, false, false, "2", "jw56", "http://images.newmedia.lu/rtl/2011/adtech_video/journal_block_3242194.xml", false); 
	</script>
<i>D'Aktualitéit vum Dag, News a Sport, national an international</i></div><br />

Then look at the referenced xml file:
curl 'http://tele.rtl.lu/waatleeft/replay/playlist/?vid=49881' 

... and you get the following result:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<rss version="2.0" xmlns:media="http://search.yahoo.com/mrss/" xmlns:jwplayer="http://developer.longtailvideo.com/trac/wiki/FlashFormats"  >
<channel>
 <item>
      <title>Journal</title>
      <link></link>
      <description>D'Aktualitéit vum Dag, News a Sport, national an international</description>
      <media:group>
                <media:content bitrate="4200" url="/replay/2011/10/30/2020986_luxdsl.mp4" width="768" />
            <media:content bitrate="2100" url="/replay/2011/10/30/2020986_hq.mp4" width="768"/>
            <media:content bitrate="980" url="/replay/2011/10/30/2020986_std.mp4" width="640" />
            <media:content bitrate="750" url="/replay/2011/10/30/2020986_wifi.mp4" width="512" />
            <media:content bitrate="420" url="/replay/2011/10/30/2020986_3gs.mp4" width="512" />
      </media:group>
      <jwplayer:type>rtmp</jwplayer:type> 
      <jwplayer:streamer>rtmpt://fms2.newmedia.lu/rtl-replay/</jwplayer:streamer>
    </item>
  </channel>
</rss>

Construct your URL from the info in the XML file:
rtmpdump -r rtmpt://fms2.newmedia.lu/rtl-replay//mp4:/replay/2011/10/29/2018792_std.mp4 -o journal.mp4 

Other URLs

http://pxnh.wordpress.com/2010/08/21/rtmp-retrieval-with-rtmpdump-and-tcpdump/ describes how to use rtmpsrv and rtmpsuck to obtain the same info without having to use tcpdump.
Last modified: Sun Oct 30 23:44:56 CET 2011