How does ONVIF Device Manager get the password digest for a camera?

Question

I have an IP webcam that supports ONVIF. If I set the admin password in the camera's web interface, then open ONVIF Device Manager (ODM), the Live Stream URL includes a password digest. This digest changes when I change the admin password in the camera's web interface and reconnect with ODM. ODM can successfully connect and display the live stream from this camera no matter what password I set. However, if I try to play the stream in VLC, I'm required to enter the admin username/password in order to access the stream.

How is ODM getting this digest? Is it included somewhere in the ONVIF profiles that are sent from the camera?

I'm simply trying to understand how ODM finds/calculates the correct password digest. It's obvious the camera is sending the info out at some point, otherwise ODM could not determine what to use.

Update: reviewing the ONVIF API Guide, I see nothing that returns a hash/digest or password, especially in the device.getDeviceInformation or device.getCapabilities requests. At this point I'm going to try wireshark.

Update 2: after running Wireshark to capture the traffic generated when launching ODM and opening the live feed for the camera, it appears the response to getStreamUri contains the full URL with password digest:

GetStreamUriResponse -> MediaUri -> Uri -> rtsp://192.168.1.119:554/stream0?username=admin&password=21232F297A57A5A743894A0E4A801FC3

Answer 1

The ONVIF API specification shows the following sequence of operations performed by an ONVIF client in order to start streaming using an existing media profile: (Section 7.1)

1. GetProfiles()
   • returns profile(s) from device
2. GetStreamURI()
   • returns StreamUriResponse containing full media URI.