Wednesday, December 7, 2011
Thursday, November 24, 2011
Some time ago, it was possible to grab any flash video you were watching under Linux very easily. The flash player buffers the data, we've all noticed the progress bar at the bottom of the video, filling in ahead of the marker or play head showing where we are in the time line. Where is this data stored?
Up until a year or so ago, that place was /tmp. The systems official temporary directory. While the video was playing, and the buffering indicator had reached the end, indicating the entire video had been downloaded, the Flash video file could simply be copied out of the /tmp folder to your desktop or other destination. This could even be done in the GUI, no need for the terminal.
Then something changed. I don't know if it was an addition to the Flash player, or just Flash developers getting smarter about hiding their temporary data to prevent anyone from obtaining a local copy of the video. Regardless, the simple fact remains that the /tmp folder no longer appears to contain the downloaded video while watching. The key word in that sentence is “appears”.
The file is actually still there, but a bit or flag is set, marking it as a deleted file! Even though the Flash player is actively using the file. Since it is marked 'deleted', the filesystem denies access to it and nothing can see it. Here's where we get tricky with Linux tools...
To illustrate this, I'll open my browser to a video file on CollegeHumor.com. If you want to follow along, here is the link.
Once the video starts, you can pause it or watch, that doesn't matter. What does is the grey filling in of the time line indicating the file is downloading. Once it has filled in completely, open a terminal and type:
lsof | grep Flash
lsof is a command that lists all open files on your system, including pipes. We're sending it's long output via the pipe symbol | into the grep command which will filter the output, only passing lines that meet our criteria. In this case, we only want to see lines that contain the text, “Flash”. The output I get is:
npviewer. 12550 loughkb 11u REG 8,1 22889528 13631698 /tmp/FlashXXdNKpIi (deleted)
The first string is the name of the process that owns the file, the next number is important, it is the process ID number. Following is my username and then the fourth column contains the other important bit of info, in this case, “11U”. The number 11 will be the name of a link we will find shortly
Now, we'll CD down into the proc folder, a folder that contains live information about everything going on in your system. One could write a book about the contents of /proc, and someone probably has. Without getting technical, the process number we obtained above, will be represented as a directory within /proc. We'll cd down into that folder and a sub folder called “fd”.
Now, we'll pull a file listing with details.
This gives us a file listing, and here we find our Flash video data within a long list of data. My example gives:
lrwx------ 1 loughkb loughkb 64 2011-11-24 20:10 11 -> /tmp/FlashXXdNKpIi (deleted)
The lower case letter l at the beginning tells us this is a link to a file named 11 that is linked to FlashXXdNKpli in /tmp. You can see the file is flagged as deleted, even though the Flash player is currently using it.
All we need to do now is copy this linked file out somewhere to get a real copy of the file. I'll copy and rename it to a file on my desktop:
cp ./11 ~/Desktop/flashvid.flv
This copies the linked (deleted) file to my desktop as flashvid.flv. Now I have the Flash video file and I can watch it with vlc or any media viewer that plays flash. I can convert it to other formats with Winff, Open and edit it directly in OpenShot, etc.
Isn't Linux great!