0

I try to get clear contents from a packet using SharpPcap.

Here is the code I have

var packet = PacketDotNet.Packet.ParsePacket(e.Packet.LinkLayerType, e.Packet.Data);
if (packet is PacketDotNet.EthernetPacket)
{
   if (packet.PayloadPacket.PayloadPacket.PayloadData != null)
   log.Info("Decode for PayloadData: " + System.Text.Encoding.Default.GetString(packet.PayloadPacket.PayloadPacket.PayloadData));

However, I cannot get the same contents inside WireShark. WireShark can exactly see the username/ciphered Password of the contents. I try to sniff the contents sent to MySQL Database.

What is actual in the WireShark:

WireShark

king jia
  • 692
  • 8
  • 20
  • 43
  • The clear contents of which ? The parts you blanked (but forgot to blank the HEX DUMP COPY!) ? The password ? The password is encoded by the MySQL client into a format you see in binary. Are you trying to recover it ? It is probably hashed. The client source code is open source, so no secret on how it works. Read any one of the many implementations of MySQL client source code (C/Java/C#) and find out. Try on the server (or any server the same version) `SELECT PASSWORD('password');` and see if the format of hex data is the same length. – Darryl Miles Sep 22 '15 at 02:56
  • Hmm... What I trying to get is the Username and Schema, if is possible, the application name that connecting to MySQL. However, When I try to decode, Im not able to get the exact strings like WireShark is able to. I still able to get it, but for application, it is not likely the way I am currently using because they are bunch of strings + unicode. – king jia Sep 22 '15 at 03:13
  • Ok then you need to 1) ensure you start to decode the string from the correct data offset. Taking in account variable length fields. 2) ensure you use the right kind of string decoder, looks terminated. Sorry I am not familiar with the C# Wireshark APIs to assist further. But I guess if you hexdump `packet.PayloadPacket.PayloadPacket.PayloadData` and compare to hexdump in this question. You can see what offsets you need to work on. Maybe a GetString overload takes an offset integer ? GetString(data, 0x5a, 6) – Darryl Miles Sep 22 '15 at 03:18

0 Answers0