Sony is smart enough not to send the password in plain text. Heres some details so far.

When authentication is enabled the inital tcp session looks like this: auth-enabled.pcap

To see no-auth caps visit the main proto-analysis page

Heres how i intend to figure it out.

Send different length usernames/passwords. Does the size of the inital few packets change? If not, sony is just padding the username/pass out to the desired length.

If so, start sending A,AA,AAA B,BB,BBB and diffing the tcp payloads of the first few packets. It looks like they start negotiating in 8 byte messages. KPAL.... RQ...