<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3492" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=270291520-19012009><FONT face=Arial
color=#0000ff size=2>Thank you guys,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=270291520-19012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=270291520-19012009><FONT face=Arial
color=#0000ff size=2>What i did is convert whole package into string and search
the whole string to see whether or not it contains user name and password. It is
good enought for me to check my application.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=270291520-19012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=270291520-19012009><FONT face=Arial
color=#0000ff size=2>I tried on my pc with 100Mb enthernet, and it works
fine and returns EN10MB.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=270291520-19012009><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=270291520-19012009><FONT face=Arial
color=#0000ff size=2>Thank you</FONT></SPAN></DIV>
<DIV dir=ltr align=left>
<HR tabIndex=-1>
</DIV>
<DIV dir=ltr align=left><FONT face=Tahoma size=2><B>From:</B>
winpcap-users-bounces@winpcap.org [mailto:winpcap-users-bounces@winpcap.org]
<B>On Behalf Of </B>Eric Kollmann<BR><B>Sent:</B> Monday, January 19, 2009 12:00
PM<BR><B>To:</B> winpcap-users@winpcap.org<BR><B>Subject:</B> Re:
[Winpcap-users] Question about how to interpertate the
pkt_data<BR></FONT><BR></DIV>
<DIV></DIV><BR>
<DIV class=gmail_quote>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
<DIV class=Ih2E3d>4) How can we find out whether the data contains password
and user name?<BR></DIV>I look at the wireshark's data and know that somewhere
it contains user<BR>name, and the password is decrypted, anyone know where
does these two<BR>located?<BR><BR>A: That depends on the protocol being
used.<BR><BR>Q: If I'm using either UDP or TCP, what bytes are containing
these<BR>information?<BR></BLOCKQUOTE>
<DIV><BR>It won't be a specific set of bytes for each protocol. For SMB
(could be TCP or UDP) you can pull username and encrypted password, but you have
to wander through the whole SMB packet. For pop3, the easiest thing to do
is actually look for the phrase 'pass' or 'password' (sorry been too long), then
pull what is right after that since it is unencrypted.<BR><BR>Long story short,
you have to disect each packet, there is no "magic" place where it is going to
show up in each one. <BR><BR></DIV>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid"><BR>5)
I'm curring using whether 100Mb and 1000Mb ethernet. If I
called<BR>pcap_datalink(), does this function return DLT_EN10MB?<BR>
<DIV>
<DIV></DIV>
<DIV class=Wj3C7c><BR></DIV></DIV></BLOCKQUOTE>
<DIV><BR>I just implemented the pcap_datalink in my program last night and on my
GB connection it returns 1, which if you use pcap_datalink_val_to_name returns
EN10MB.<BR><BR>So at least for me, it returns EN10MB regardless.<BR><BR>My
AirPCap adapter returns 127 which is IEEE802_11_Radio.<BR><BR>Regardless, for
me, i just check to see if datalinktype returns 1, if not I post a message back
to the user that I only support EN10MB Data Link Types at this time. Never
knew about this call before this thread got started, so
thanks!<BR> </DIV></DIV><BR></BODY></HTML>