[Winpcap-users] Question about how to interpertate the pkt_data

Bryan Kadzban bryan at kadzban.is-a-geek.net
Mon Jan 19 17:21:28 GMT 2009

Wu Bo (ST-VS/EAP2.3) wrote:
> Hey guys,
> 4) How can we find out whether the data contains password and user
> name? I look at the wireshark's data and know that somewhere it
> contains user name, and the password is decrypted, anyone know where
> does these two located?
> A: That depends on the protocol being used.
> Q: If I'm using either UDP or TCP, what bytes are containing these 
> information?

Wrong layer.  TCP and UDP are transport layers.  The "bytes that contain
this information" are going to depend principally on the application
layer (one higher).

But the specific bytes will also depend on the layers below, since each
of those layers has ways to extend its header's length.  See the
complicated process that several people responded to you with last time:
you *MUST* parse from the beginning, one layer's header at a time.

(For example: the 802.1q VLAN/QoS header is one extension of the normal
link layer MAC header.  There are lots of IP options available at the
network layer, and each of them will change the IP header's length.  TCP
also has lots of ways to negotiate a change in header length at the
transport layer, when the connection is set up.  It may have other extra
options as well, I'm not sure.)

And even after all of that, depending on which application layer
protocol you're using, there may be things in there that move the
username and password fields around.

(And *then*, if the protocol is encrypted, then the only way you're
going to find out is by being a man in the middle, which winpcap is the
wrong tool for: convince the first endpoint to negotiate an encrypted
tunnel with you, then negotiate your own with the second endpoint, and
pass all the traffic back and forth.  Normal TCP is a much better tool
for this, if combined with e.g. packet destination rewriting, or DNS or
ARP poisoning.)

> 5) I'm curring using whether 100Mb and 1000Mb ethernet. If I called 
> pcap_datalink(), does this function return DLT_EN10MB?

My understanding is yes, at least on 100baseT.  Unsure about gigabit,
but I don't see why it would be different.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://www.winpcap.org/pipermail/winpcap-users/attachments/20090119/7f4435c2/signature.pgp

More information about the Winpcap-users mailing list