<br><div class="gmail_quote"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div class="Ih2E3d">4) How can we find out whether the data contains password and user name?<br>
</div>I look at the wireshark's data and know that somewhere it contains user<br>
name, and the password is decrypted, anyone know where does these two<br>
located?<br>
<br>
A: That depends on the protocol being used.<br>
<br>
Q: If I'm using either UDP or TCP, what bytes are containing these<br>
information?<br>
</blockquote><div><br>It won't be a specific set of bytes for each protocol. For SMB (could be TCP or UDP) you can pull username and encrypted password, but you have to wander through the whole SMB packet. For pop3, the easiest thing to do is actually look for the phrase 'pass' or 'password' (sorry been too long), then pull what is right after that since it is unencrypted.<br>
<br>Long story short, you have to disect each packet, there is no "magic" place where it is going to show up in each one. <br><br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
5) I'm curring using whether 100Mb and 1000Mb ethernet. If I called<br>
pcap_datalink(), does this function return DLT_EN10MB?<br>
<div><div></div><div class="Wj3C7c"><br>
</div></div></blockquote><div><br>I just implemented the pcap_datalink in my program last night and on my
GB connection it returns 1, which if you use pcap_datalink_val_to_name
returns EN10MB.<br>
<br>
So at least for me, it returns EN10MB regardless.<br>
<br>
My AirPCap adapter returns 127 which is IEEE802_11_Radio.<br>
<br>
Regardless, for me, i just check to see if datalinktype returns 1, if
not I post a message back to the user that I only support EN10MB Data
Link Types at this time. Never knew about this call before this thread
got started, so thanks!<br> </div></div><br>