[Winpcap-users] Question about how to interpertate the pkt_data

Eric Kollmann xnih13 at gmail.com
Mon Jan 19 17:00:11 GMT 2009

> 4) How can we find out whether the data contains password and user name?
> I look at the wireshark's data and know that somewhere it contains user
> name, and the password is decrypted, anyone know where does these two
> located?
> A: That depends on the protocol being used.
> Q: If I'm using either UDP or TCP, what bytes are containing these
> information?

It won't be a specific set of bytes for each protocol.  For SMB (could be
TCP or UDP) you can pull username and encrypted password, but you have to
wander through the whole SMB packet.  For pop3, the easiest thing to do is
actually look for the phrase 'pass' or 'password' (sorry been too long),
then pull what is right after that since it is unencrypted.

Long story short, you have to disect each packet, there is no "magic" place
where it is going to show up in each one.

> 5) I'm curring using whether 100Mb and 1000Mb ethernet. If I called
> pcap_datalink(), does this function return DLT_EN10MB?
I just implemented the pcap_datalink in my program last night and on my GB
connection it returns 1, which if you use pcap_datalink_val_to_name returns

So at least for me, it returns EN10MB regardless.

My AirPCap adapter returns 127 which is IEEE802_11_Radio.

Regardless, for me, i just check to see if datalinktype returns 1, if not I
post a message back to the user that I only support EN10MB Data Link Types
at this time.  Never knew about this call before this thread got started, so
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090119/1b51e51c/attachment.htm

More information about the Winpcap-users mailing list