tracing packet data

[neal8929]

Lets say a program (client) sets up a socket and sends data to a server. Lets say I want to know exactly what I am sending in the data portion of that socket however it is encrypted. Is there a way I can find in the client's process what section of memory holds the buffer of data to be sent over the network before it gets encrypted? Would I need to disassemble the program or is there another way?

This is for educational purposes.
Thanks

[Austin.Soucy]

I assume you are talking about a client that you did not create?

You can do this by setting up a raw socket and putting it in promiscuous mode. Then you can listen to any data passing through your NIC. This is how packet sniffers work...

There is free software that does this as well...check out the EtherDetect demo.

As far as getting direct access to the buffer being used by the program, I'm not sure about that. I think you would need to know a little more about the program. But like I said, you can always just capture all the data as it passes through your NIC!

[MikeAThon]

If this is Windows OS, then each application will have its own virtual memory space, and your application will not be allowed to access the virtual memeory space of another application.

So if you write a sniffer that sees all traffic over a particluar port, then if the traffic is already encrypted, you will not be able to obtain the unencrypted source.