How to download Flash 10.2 video streams in Linux.

10 02 2011

Hey, people!

Just thought I’d post this little nugget of information, as it’s taken me a little while to work out how to do it. Before I start, I’ll mention that downloading copyrighted material may well be extremely illegal where you live, so make sure you only use this technique to download videos which contain your work entirely. This can be useful if you have, for example, lost your user details for a video upload site of some variety, and there is no facility to retrieve your videos without it.

Anyway, enough with the disclaimer, on with the hack…

As you may know, Flash Player used to store the temporary stream files in /tmp. They switched from this at the end of last year to storing them in the specific browser’s cache folder for reasons unbeknownst to the masses. This still made it pretty easy to locate any file you may have wished to download. After a recent update, I found that I was unable to locate the temporary caching folder anywhere.

My first step was to load the video in a browser, and check the output of the following command:
lsof | grep -i flash

This came out with a predictable, and very useful single line:
plugin-co 25646 n00b 17u REG 8,2 31286337 787220 /tmp/FlashXXepl6qa (deleted)

This showed me that there was a file descriptor open to a “deleted” file, /tmp/FlashXXepl6qa. I’m no programmer, so I have no idea how this works, but it seems that it’s adding chunks of data to this file descriptor (I imagine stored in RAM), while the file itself is technically nonexistent.

UPDATE (24/04/11):

Thanks to reader Raven Morris, I have some more information about what exactly is happening. The reason is that Linux does not have file locking, like Windows. Windows programs, when they open a file, will lock it, so no other programs can access it. In Linux, when a file is deleted, the operating system will keep track of it until there are no programs which have it open. Once the last program closes the last file descriptor to the file in question, the file becomes unrecoverable without relevant forensic tools, but until then, there is a record of it within the /proc/*/fd directory tree.

Anyway, the second field of the output tells us which process currently has the file descriptor open, and the fourth tells us which number the file descriptor has taken. This is all we need to access the file itself.

If you navigate to your /proc folder, you will see a bunch of folders all named numerically, including a folder which matches the number in the second field. Now navigate to this folder, then its subfolder “fd”. In this folder, you will see a whole selection of numbers. These relate to the file descriptors themselves. Run “ls -l” in this folder, and you will see that each of these numbers is linked to either pipes, sockets or files. Within this, the number from the fourth field will be symbolic linked to the /tmp/Flash* file we found before. To test that this is the right file, you can run it through mplayer or vlc (“mplayer filedescriptornumber”/”vlc filedescriptornumber”). If you’re having trouble finding the filename, try “ls -l | grep Flash”, as pointed out by reader Nobi.

Once the video is fully streamed, you can use a simple “cp” to copy the file from the file descriptor to a real location on your hard disk. (“cp filedescriptornumber ~/Videos/filename.flv”).

Another way to locate these files is to use the following command:
stat -c %N /proc/*/fd/* 2>&1|awk -F[\`\'] '/Flash/{print$2}'

I encourage you to play with the various sections of it to see how it works. If you’re having trouble getting it to work, make sure you have the apostrophes, backticks and spaces in the correct location.

Reader Robert submitted the following BASH alias, to automate the whole process. Here’s the script to insert into your bashrc:

cpflashvideo() { cd /proc/`lsof | awk ‘/Flash/&&/plugin-co/’ | awk //’{printf “%s”, $2}’`/fd/ && cp `ls -al | grep ‘\(deleted\)’ | awk ‘//{printf “%s”, $8}’` $* && cd – > /dev/null; }

UPDATE (13/07/11):

A couple of my friends were pondering the question of this, and came up with the following for those of you who have a few to many tabs open at one time… I’ve included a couple of versions, to show how this could be done using entirely awk, or a mixture of awk and sed.

This first one uses regexp matching in awk to ensure that the letter is stripped from the end of the fourth field:
for FILE in $(lsof -n | grep "Flash.*deleted" | awk '{printf "/proc/" $2 "/fd/"; sub(/[a-z]+/,"",$4); print $4}'); do
cp $FILE $(mktemp -u --suffix .flv $HOME/Videos/Video-XXX)
done

The next uses sed to strip off the last character of the fourth field:
for FILE in $(lsof -n|grep .tmp.Flash | awk '{print "/proc/" $2 "/fd/" $4}' | sed 's/.$//'); do
cp -v $FILE $(mktemp -u --suffix=.flv --tmpdir=$HOME/Videos/)
done

I hope this post is as interesting for others as I found it myself, and as always, direct any questions to me in the comments!

If you are a Spanish speaker, and have had trouble understanding this, Taringa.net user racsoprieto has translated the basics of the article here.

n00b


Actions

Information

65 responses

11 02 2011
Christoph

christoph@ubuntu-TVPC:~$ lsof | grep -i flash
chromium- 1691 christoph mem REG 8,1 12110348 3934253 /usr/lib/adobe-flashplugin/libflashplayer.so
chromium- 4156 christoph mem REG 8,1 12110348 3934253 /usr/lib/adobe-flashplugin/libflashplayer.so
chromium- 4156 christoph 26u REG 8,1 95014896 3933209 /tmp/FlashXXHfMwkx (deleted)

this is what i get

so is the file descriptor number 4156? or 95014896? or 3933209?

I found a folder called /proc/4156/fd and i did the ls -l

christoph@ubuntu-TVPC:/proc/4156/fd$ ls -l
total 0
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 0 -> /dev/null
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 1 -> /home/christoph/.xsession-errors
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 10 -> anon_inode:[eventpoll]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 11 -> socket:[491942]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 12 -> socket:[491943]
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 13 -> pipe:[491944]
l-wx—— 1 christoph christoph 64 2011-02-11 01:07 14 -> pipe:[491944]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 15 -> socket:[491945]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 16 -> socket:[491946]
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 17 -> pipe:[491947]
l-wx—— 1 christoph christoph 64 2011-02-11 01:07 18 -> pipe:[491947]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 19 -> socket:[491950]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 2 -> /home/christoph/.xsession-errors
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 20 -> socket:[491974]
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 21 -> /home/christoph/.mozilla/firefox/9vd1cutr.default/cert8.db
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 22 -> socket:[491974]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 23 -> socket:[491977]
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 24 -> /home/christoph/.mozilla/firefox/9vd1cutr.default/key3.db
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 25 -> socket:[494087]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 26 -> /tmp/FlashXXHfMwkx (deleted)
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 27 -> pipe:[498951]
l-wx—— 1 christoph christoph 64 2011-02-11 01:07 28 -> pipe:[498951]
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 29 -> pipe:[498952]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 3 -> socket:[491599]
l-wx—— 1 christoph christoph 64 2011-02-11 01:07 30 -> pipe:[498952]
lrwx—— 1 christoph christoph 64 2011-02-11 01:07 31 -> socket:[498956]
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 4 -> pipe:[491862]
l-wx—— 1 christoph christoph 64 2011-02-11 01:07 5 -> pipe:[491862]
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 6 -> pipe:[491865]
l-wx—— 1 christoph christoph 64 2011-02-11 01:07 7 -> pipe:[491865]
lr-x—— 1 christoph christoph 64 2011-02-11 01:07 8 -> pipe:[491938]
l-wx—— 1 christoph christoph 64 2011-02-11 01:07 9 -> pipe:[491938]

but what do i do from here do i just go back to the root dir and hit cp 4156 /home/christoph/test.flv

or do i need to be in the proc dir and then do cp 4156 /home/christoph/test.flv

Need help

11 02 2011
Christoph

nevermind found it. why so complicated now!!!

11 02 2011
Christoph

So mine was 4156 so i went to /proc/4156/fd did the ls -l thing and it said it was number 26 so i went to /proc/4156/fd and did the cp 26 /home/christoph/filename.flv and it worked

11 02 2011
n00bsys0p

Glad you got it, mate! It appears to be a move towards stopping people from downloading copyrighted material. Unfortunately for Adobe, everything in Linux is accessible as a file, even stuff stored in RAM. I’m not sure how this would work in Windows, but I’m not 100% that it’s even possible with this much ease.

15 02 2011
Anonymous

I hear it’s to make Flash more compatible with the private browsing mode of various browsers.

12 02 2011
theluddite

I guess this doesn’t work with npwrapper? the output of lsof was:
theluddite@theluddite-desktop:~/.mozilla/firefox/yrc11nxd.default/Cache$ lsof | grep -i flash
firefox-b 5041 theluddite mem REG 8,1 117960 660914 /var/lib/flashplugin-installer/npwrapper.libflashplayer.so
npviewer. 5108 theluddite mem REG 8,1 12127284 2883607 /usr/lib/flashplugin-installer/libflashplayer.so
theluddite@theluddite-desktop:~/.mozilla/firefox/yrc11nxd.default/Cache$

I didn’t have a file listed and there wasn’t a Flash* file in either /proc/5041/fd or /proc/5108/fd

12 02 2011
n00bsys0p

I’d guess it’s not possible in this form. As NSPluginWrapper is a cross platform plugin framework, I’d imagine it uses some weird and wonderful method of storing the streamed data, as directory structures are not consistent between platforms.

That isn’t, however, to say that it isn’t possible. I’d imagine that even if it’s not called “Flash*”, it could be located elsewhere. Try “lsof | grep -e npwrapper -e flash”, and check all the file descriptors in each /proc/[number] folder which belong to it, you may come up trumps! If you get any further with this, post a comment here, and I’ll add it to the article!

n00b

12 02 2011
q

Can i translate theis article to spanish to put it in taringa!?

12 02 2011
n00bsys0p

Yeah, absolutely! Just include a link to the original article, if possible. I’ll link back to yours from here too, once I get the link through.

13 02 2011
Nobi

it is easier to find the right Number with:
user@comp:/proc/2134/fd$ ls -l | grep Flash
lrwx—— 1 user user 64 2011-02-13 12:33 67 -> /tmp/FlashXXHQbVP3 (deleted)

only the soft-linked number works for playing, not the /tmp/Flash-file that is marked as (deleted)
example:

user@comp:/proc/2134/fd$ vlc 67
or:
user@comp:/proc/2134/fd$ mplayer 67

14 02 2011
n00bsys0p

I’ll add your first point to my article. Also, what you state there is what I intended people to do. I’ll check my wording. Thanks for taking the time to comment! :-)

14 02 2011
HLS

While watching movie online, if I start watching the movie from any point located in between (not from the starting), (say movie after the 50 minutes), the file placed in /proc//fd/flashxxxx is distorted. This file cannot be played. How to solve this?

15 02 2011
n00bsys0p

I’m not sure on this one. The answer I’d give you is to leave it to stream from the start. I can’t claim to know enough about FLV files to be able to comment, though.

Also, you should note that watching movies online is usually illegal anyway. To save it to your hard drive after already breaching copyright law isn’t a great idea. As I mentioned in my article, the only thing this technique should be used for is downloading copyright-free, or your own material.

15 02 2011
Rahul Batra

Thanks n00bsys0p!

Awesome guide; I can now watch flash videos in vlc again :)

16 02 2011
n00bsys0p

Glad to be of help, mate! Cheers for the compliment :-)

16 02 2011
oldmankit

I love how the big companies try to pin us down, but through the power of technology we find a way. Thanks for making this possible for me.

17 02 2011
n00bsys0p

No problem, mate. Glad to help out!

19 02 2011
boby

good article but i cant get in fd
bash: cd: fd: Permission denied

20 02 2011
n00bsys0p

Hi, boby. Your problem is that you need to be change to root, or use sudo.

21 02 2011
boby

hi .i tried to use sudo but
sudo: cd: command not found

21 02 2011
n00bsys0p

Hey!

Try using sudo -i, or sudo -s on their own to change to a root shell before you cd into the folder, and let me know how you get on.

n00b

22 02 2011
boby

thank you.it works now.

22 02 2011
n00bsys0p

Excellent. Glad you sorted it!

20 02 2011
Irfan

Thanks n00b. It worked like a charm.

20 02 2011
n00bsys0p

Glad to be able to help, my friend!

22 02 2011
Roybath

Thanks a million ton dude, really appreciate your work

22 02 2011
n00bsys0p

Not a problem; always happy to share knowledge!

22 02 2011
darksideforge

Hi Noob…thanks for all of the great work. My *question* is: now that I can navigate to /proc/****/fd and watch my movie, if I try to save it as per your instructions the icon for the .flv shows up with a large “x” on it (in /home/darksideforge/Videos) and if I then click on the icon, MoviePlayer opens up and I’m informed that I don’t have permission to access that file…probably because I found it and navigated to it and copied it while I was /root (sudo su on Ubuntu). I’m *guessing* that i might be able to chmod it (the vid file) but I’m not sure…? Would you (or someone else out there) mind giving me a sample of the chmod script I need to run to change my permissions on those files? Thanks in advance.
~dsf

22 02 2011
darksideforge

**clarification**
I should clarify that I have no problem whatsoever playing the file from within the /proc/procID/fd folder as long as I’m sudo’d in on my terminal. (nor do I have problems watching the file via the DTE as long as I’m sudo’d in). Thanks again for the great work!

23 02 2011
darksideforge

Yep…that did it! I did chmod 777 in /Videos and it worked like a charm!

23 02 2011
n00bsys0p

Hi darksideforge,

Rather than chmod 777-ing the file, a better way to do it would be to “sudo chown {username}:{defaultgroup} {filename}”, replacing the placeholders. For example, on Ubuntu, with a username of “me”, and a filename of “MePrattingAround.flv”, you would type “sudo chown me:me MePrattingAround.flv”, or on Slackware, “sudo chown me:users MePrattingAround.flv”.

23 02 2011
ott

Thanks a lot! Your solution worked like a charm and I didn’t have to change anything either.

23 02 2011
n00bsys0p

Fantastic, ott! Great to hear that it’s working for you!

23 02 2011
darksideforge

Thanks again! I’ll try your chown-fix the next time I need it. And again, thanks for the great fix in the first place!!

14 03 2011
David Madison

There’s a script that will do all of this for you listed at:

http://davesource.com/Solutions/20110313.Chrome-linux-hidden-flash-files.html

Enjoy!

14 03 2011
n00bsys0p

Thanks for that, Dave – I’ll have to check it out!

n00b

20 03 2011
Raven Morris

Thanks for the tip about the latest Flash.

To clarify a few points for you:

1) Linux does not have “file locking” in the way Microsoft Windows does, wherein a program opening a file locks it so no other apps can access it. On Windows the Flash* files are stored in the user’s temp folder, but they are locked, so they can’t be opened or copied.

Therefore, if a file is deleted while another process has it open, it is merely marked as “(deleted)”, but it is still being stored on the hard disk in the filesystem, it just won’t show up in a directory listing any longer. The app(s) that have the deleted file open may continue to use it as if nothing happened, they can modify it or append to it as per normal, but once the last app has closed the last file descriptor, then the deleted file finally becomes unrecoverable (without forensic tools for the specific filesystem being used).

So it is not storing it in RAM, it is merely keeping track of a deleted file until it is no longer being used. The free space on the disk will not go up until that file descriptor is closed.

2) You do not need to copy the file from the file descriptor if you are planning to do something other than archiving it, e.g. if you want to watch it or re-encode it to another format. You can simply use the /proc/$PID/fd/$FD filename as if it were a normal file.

Command:

stat -c %N /proc/*/fd/* 2>&1|awk -F[\`\'] ‘/lash/{print$2}’

Output:

/proc/11212/fd/16
/proc/11212/fd/24

You can also combine it with a video player command to play any found Flash video files:

mplayer -cache 1000 $(stat -c %N /proc/*/fd/* 2>&1|awk -F[\`\'] ‘/lash/{print$2}’)

You could save that as an alias or function or shell script so that you just type in “play-flvs” or similar.

Cheers!

p.s. I have the feeling that WordPress will butcher the special characters in my commands, so if it does that, here they are from a pastebin:

http://pastie.org/pastes/1693999/text

2 04 2011
n00bsys0p

Many thanks for the info, Raven! I’ll update the post when I get time!

10 06 2011
superkuh

This is exactly what I needed. Thanks Raven Morris. It’s easily adaptable to other video players and .bashrc functions.

flashplay () {
vlc $(stat -c %N /proc/*/fd/* 2>&1|awk -F[\`\'] ‘/lash/{print$2}’)
}

Obviously people should copy from your pastie.org entry, not this, because wordpress changes it.

25 03 2011
Robert

Thanks for the excellent writeup!!!

I added the following script to my /etc/bash.bashrc.local

cpflashvideo() { cd /proc/`lsof | awk ‘/Flash/&&/plugin-co/’ | awk //'{printf “%s”, $2}’`/fd/ && cp `ls -al | grep ‘\(deleted\)’ | awk ‘//{printf “%s”, $8}’` $* && cd – > /dev/null; }

now I simply execute, for instance:
cpflashvideo /tmp/NeetVideo.flv

YMMV

2 04 2011
n00bsys0p

Cheers for the script. I’ll update the post!

23 04 2011
omelettte

Almost a 300meg video, on a measly 1gig RAM-setup with FF4 continuing to slowly eating it up, while I’m frantically trying to track down the damn video! Thankfully one of the guys on the Fedora forum directed me your way. You’ve kept me sane a while longer! :)

Thanks n00bsysOp.

24 04 2011
n00bsys0p

Glad to be able to help, mate!

8 06 2011
lincruste

Hello,
Thank you for this very interesting article. I have been able to dump FLV videos on the INA website sites with your technique (french video archive legal site, I paid for it to be broadcasted in the 90’s and digitalized in the 2000’s, so I think I do have the right to dump it). It’s not only a cooking recipe, it also explains why it works, so once again, thank you. BTW please forgive my poor english.

9 06 2011
n00bsys0p

Thanks for the feedback, lincruste. It’s always nice to see how my work helps others! Also, your English is perfectly good :-)

n00b

7 08 2011
Dann

Python script to download from all connected flash video streams.
Remember to let all flash videos fully load before running this script.

I will copy this to my /usr/bin/ folder so it can be easily accessible by any user on the system. (This will copy all files to the home folder).
It’s not perfect because it relies on hardcoded array values. I’m sure python has a module to do so, but there it is anyway:

#!/usr/bin/env python
#
# GPL 2.1

from subprocess import Popen, PIPE
import string, os

proc = Popen(‘lsof | grep Flash’, stdout=PIPE, shell = True)
output = proc.stdout.read().splitlines()
print “Found %i Flash Video Stream(s)…” % int(output.__len__())
for out in output:
out = string.split(out, ‘ ‘)
print “\tDownloading from file process %i” % int(out[1])
Popen([‘cp’, ‘/proc/’ + str(out[1]) + ‘/fd/’ +
str(”.join(filter(lambda x: x.isdigit(), out[7]))),
os.getenv(“HOME”) + ‘/’ +
string.rsplit(out[out.__len__() - 1], ‘/’,1)[1] + ‘.flv’],
stdout = PIPE)

( Just copy, paste, save and run. )

7 08 2011
Dann

Since python is very strict when it comes to indentation, posting the script in html was a bad idea. You can download the script from here:
http://www.mediafire.com/?gwce7p0v7oyvt42

Make sure you right-click the file and “Make Executable” so you can run it.

7 08 2011
n00bsys0p

Hi Dann,

I’ve added the script to my new site’s paste bin, and credited it to you, and will update the post there when I get a chance. The site’s address is http://n00bsys0p.co.uk, the post’s is http://n00bsys0p.co.uk/2011/02/10/how-to-download-flash-10-2-video-streams-in-linux, and the paste bin entry is http://n00bsys0p.co.uk/stikked/index.php/view/11241827 (the name was meant to be Python script to download current Flash videos, but unfortunately has been truncated.

n00b

19 09 2011
Ed

lsof | grep -i flash
Does not give a result with this flash file:
http://www.telegraaf.nl/incoming/10574286/__Bleke_vriendin__.html?p=30,2
or any other flash files from that website.
The temp file should be somewhere, but where? And how to find it.

Ed

19 09 2011
n00bsys0p

Hi, I’ve genuinely got no idea what they’ve done there. The only Flash file I could find see was the advertisement at the beginning. I can’t help you further with this, as it distinctly looks to me you are trying to download other peoples’ content, and therefore probably breaching copyright law. It is interesting that they’ve managed to work a way around it, and I wish you the best in finding out what it is! If you find out, feel free to post here or on my new blog.

n00b

19 09 2011
Raven Morris

Hey there. I haven’t looked at that specific site, but Flash applets are capable of streaming video without using the caching features — only stored in RAM! This is often used for live streaming content, or when you must pay before you can access the content (to make it hard to rip off and re-sell or give away).

However, some Flash applets will cause the *browser* to store the cached files, so check in your web browser’s cache folder to see if there are any video files in there getting larger (sort by date with “ls -lrt”).

Cheers.

20 09 2011
n00bsys0p

Hi Raven,

Thanks for your reply! I did some digging of my own, and what you call “without using the caching features” in this case is their use of RTMP, which if you read the description (or already know of it, of course), is a protocol which destroys each packet of streamed data after a predetermined TTL, but well before the user would have a chance to save it. I’d imagine the main reason Youtube doesn’t use this, is that it’s an Adobe proprietary protocol, and Youtube, being part of Google, will want to have nothing to do with it. There are services and programs which can record RTMP streams, which I’d imagine would simply capture any RTMP or related packet, then reform them into the original file.

n00b

23 09 2011
abhishek

thanxx a ton man….

24 09 2011
n00bsys0p

No problem, my friend!

Come check out my new site here for more useful Linux bits and pieces!

n00b

2 10 2011
James

Well try to do the same with a video given here
http://drupalize.me/videos/introduction-theming-basics-drupal-7
you will be surprised to see that lsof -np $PID | grep deleted trick is not working.Can you see.I by mistake installed 10.3 Flash.

3 10 2011
n00bsys0p

Hi James,

You may be pleased to hear that it’s not Flash Player 10.3 which has done that, it’s the site owner has decided to use RTMP as the streaming protocol, instead of HTTP, like Youtube. The player they are using on the site is JWPlayer, and supports RTMP out of the box. Here’s a page from JWPlayer’s site about the benefits of RTMP.

It’s still possible to grab it, just not using the same methods as I mention in the article. Remember, however, downloading material without specific permission to do so, may be illegal. I may write an article on the new spate of RTMP sites that we’ve seen, but that will go on my new blog, as this one has been discontinued.

n00b

3 10 2011
n00bsys0p

I’ve done a little further looking into your problem, and have realised that not only drupalize.me is a pay-site, so they are going to do what they can to avoid people leeching their content, but also, they are using a custom Drupal module to interface with Amazon’s Cloudfront storage system, so the chances of you being able to get a link to the direct rtmp:// URI is pretty slim. Bad luck on that site, but I fully support anybody who is making a living from helping other people out…

n00b

26 01 2012
muede

Even easier to use find.

PRG=firefox-bin
PID=$(pidof $PRG)

if [ -n "$PID" ]; then
find /proc/$PID/fd -lname /tmp/Flash\*
fi

26 01 2012
n00bsys0p

Thanks for that! I didn’t know about -lname.

n00b

10 03 2012
eraklik

It seems that at least one site has a workaround to even prevent these sorts of access.

Running Mint Linux 11 (Mint is Ubuntu-based; quite a nice distro; Unity-haters are glad to find it):

(I’m editing for privacy; use { } to surround substituted strings)):

I ran
proc # lsof | grep -i flash
and got a warning:
lsof: WARNING: can’t stat() fuse.gvfs-fuse-daemon file system /home/{username}/.gvfs
Output information may be incomplete.
[gvfs] seems pretty tightly “locked down”; usual tools don’t work with it. If your system uses it, it’s worth finding out about.

The machine took a few seconds, and all it found was (long whitespaces shortened); it’s a longish line:

plugin-co 2724 {username} mem REG 8,1 10589672 1570071 /opt/mint-flashplugin-square/libflashplayer.so

That was all. At least, it gave me the PID: 2724.

When I cd’d to /proc/2724/fd, and did an ls-l, there was no usable link to the video I was interested in. Some /dev/nulls, sockets and pipes, mostly, and a couple of “Hah! We gotcha!” files:

/home/{username}/.mozilla/firefox/{ID string}.default/cert8.db
and, right after it,
/home/{username}/.mozilla/firefox/{ID string}.default/key3.db

Looking at these, they are mostly binary, and seem to deal with security certificates, so access via this path seems quite difficult. Interesting that apparently those are now part of the online-playback process.

Seems to me that hacking the flash-player library should give access, or else snagging video packets as they download (or is that just too messy to do?)

===

As to what’s OK to do and what isn’t, what about fair use? Viewing a video (in this case, a promo with interesting content) seems quite OK. Snagging a copy only for later viewing doesn’t distribute it to others; imho, that’s fair use.
Any uploads of copyrighted works are illegal, as the woefully-outdated law stands, I’m sure.

A few days ago, I did use these methods to snag a short vid I really wanted to keep. In that case, grepping for “flash” worked nicely. Was fascinating seeing those one and two-digit numbers as links to various files etc.

Thanks so much for the help!

11 03 2012
n00bsys0p

Hi there eraklik,

You can speed up the lsof process by stopping it from resolving host names – use “lsof -ni” instead.

I’ve done a little research into your lsof warning, and found the following quote:

This is because gvfs is not a filesystem it is a memory resident tree
representing configuration controls for gnome.

Root doesn’t have access because the process presenting the tree doesn’t support it.

You will always get this error when you are logged via the GUI and using
gnome. A varient exists, I believe, for KDE.

You will also get this error if the user is terminated (kill -9) because
the process implementing the filesystem is aborted, leaving the mountpoint corrupted in the system cache (dentry I believe it is).

Ignore it.

If you couldn’t find the Flash file in the output, it probably means that the website you’re trying to download from uses RTMP or similar protocol, which is different to the way many sites (e.g., Youtube) stream video. It’s a little more complicated to download, but still possible on a lot of sites. If you know how to use a packet sniffer, you can see if data is being transferred on 1935/TCP. Maybe watch this video too.

Hope I’ve helped you out!

n00b

21 07 2012
qubodup

It seems like this doesn’t work any more in latest flash :|

23 07 2012
n00bsys0p

That does seem to be the case. I’ll update the post on my new blog at http://www.n00bsys0p.co.uk if I find any way around it.

23 07 2012
n00bsys0p

From my investigation so far, it’s changed completely. Even Wireshark isn’t coming up with anything particularly useful.

2 08 2012
Automatically saving Flash 10 video files marked as (deleted) | tjansson.dk

[...] ikacikax.wordpress.com/2011/03/06/where-are-chromes-flash-temporary-files-ubuntu n00bsys0p.wordpress.com/2011/02/10/how-to-download-flash-10-2-video-streams-in-linux This entry was posted in Articles, Computer. Bookmark the permalink. ← Disable [...]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




Follow

Get every new post delivered to your Inbox.

%d bloggers like this: