It is known that by default, SAP network exchange is compressed rather than encrypted.
It is also known that on client side, it is possible to turn off compression in SAP GUI by setting TDW_NOCOMPRESS environment option to 1.
But what if client sending compressed packets anyway and we would like to see what is inside?
You may reveal compressed packets in network traffic by bytes 0x1f and 0x9d at positions 0x11 and 0x12 and, of course, these packets has such flaring property as high information entropy.
Here is my SAP network packets decompressor, readme file with username/password sniffing example, and win32/linux binaries:
Part three: http://blog.yurichev.com/node/52
→ [list of blog posts] Please drop me email about bug(s) and/or suggestion(s): my emails.