I'm currently running ShowEQ in a VM on my computer that I run EQ on. It works fine.

However, I've never been able to start ShowEQ and it work without camping out and back in, or zoning. Is there a way to start ShowEQ w/o having to do that? I know when (and IF) I use MySEQ, it works w/o having to camp or zone.

And ... How do I go about learning / working on finding offsets? Do I just need to run tcpdump and log some packets and then start analyzing to find the offsets or is there some method to the madness?

Thanks all

Since MySEQ directly reads memory used by the EQ process, it can fetch whatever info it needs at any time. But ShowEQ sniffs the network packets, and there are certain packets that are only sent when you zone. So there's really no way around needing to zone to start ShowEQ working. That's the trade-off for ShowEQ being passive/undetectable.

ShowEQ doesn't use offsets, which are offsets to particular regions of memory. Rather, it uses opcodes, which are basically identifiers for the type of packet.

While tcpdump is good for general network troubleshooting or for figuring out stuff at the lower protocol layers, it's not the best tool for finding opcodes in most cases. You're better off using SEQ's built-in logging facility, since it will pull the individual messages from the packet stream, and format them for easier readability. This also allows you to filter out stuff you already know about, decreasing the amount of stuff you have to sift through.

There's been a bit written about finding opcodes, but there isn't a "guide" per se. If you're seriously interested, then I'd suggest starting with the sticky post in the development forum, and do some searching from what you learn there.