[Winpcap-users] Question about how to interpertate the pkt_data

Wu Bo (ST-VS/EAP2.3) Bo.Wu at us.bosch.com
Mon Jan 19 20:47:11 GMT 2009 

Thank you guys,
 
What i did is convert whole package into string and search the whole
string to see whether or not it contains user name and password. It is
good enought for me to check my application.
 
I tried on my pc with 100Mb enthernet, and it works fine and returns
EN10MB.
 
Thank you
________________________________

From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Eric Kollmann
Sent: Monday, January 19, 2009 12:00 PM
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Question about how to interpertate the
pkt_data




	4) How can we find out whether the data contains password and
user name?
	
	I look at the wireshark's data and know that somewhere it
contains user
	name, and the password is decrypted, anyone know where does
these two
	located?
	
	A: That depends on the protocol being used.
	
	Q: If I'm using either UDP or TCP, what bytes are containing
these
	information?
	


It won't be a specific set of bytes for each protocol.  For SMB (could
be TCP or UDP) you can pull username and encrypted password, but you
have to wander through the whole SMB packet.  For pop3, the easiest
thing to do is actually look for the phrase 'pass' or 'password' (sorry
been too long), then pull what is right after that since it is
unencrypted.

Long story short, you have to disect each packet, there is no "magic"
place where it is going to show up in each one.   




	5) I'm curring using whether 100Mb and 1000Mb ethernet. If I
called
	pcap_datalink(), does this function return DLT_EN10MB?
	



I just implemented the pcap_datalink in my program last night and on my
GB connection it returns 1, which if you use pcap_datalink_val_to_name
returns EN10MB.

So at least for me, it returns EN10MB regardless.

My AirPCap adapter returns 127 which is IEEE802_11_Radio.

Regardless, for me, i just check to see if datalinktype returns 1, if
not I post a message back to the user that I only support EN10MB Data
Link Types at this time.  Never knew about this call before this thread
got started, so thanks!
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20090119/be3499d4/attachment.htm

More information about the Winpcap-users mailing list