Here's what I'm seeing from a Wireshark capture:
The uri shows as
http.request.uri == "/webct/urw/lc9140011.tp0/authenticateUser.dowebct"
The string I'm searching for, "webctid=", shows up in a section of the capture denoted as
Line-based text data: application/x-www-form-urlencoded
The actual text data looks like
insId=9140011&glcid=URN%3AX-WEBCT-VISTA-V1%3A319e858b-8627-515f-006f-db4bc25adf55&newUserGlcid=URN%3AX-WEBCT-VISTA-V1%3A319e858b-8627-515f-006f-db4bc25adf55&insName=BELLEVUE+COMMUNITY+COLLEGE&gotoid=&actionType=&webctid=950XXXXXX&timeZoneOffset=7&glcid=URN%3AX-WEBCT-VISTA-V1%3A319e858b-8627-515f-006f-db4bc25adf55&insId=9140011&insName=BELLEVUE+COMMUNITY+COLLEGE&password=PASSWORD
My interpretation of this is that the uri is invoking a script, and the webctid and password are being passed with other info in the text data.
Would I want to perform a findstr operation on the HTTP::payload?