Wireshark-bugs: [Wireshark-bugs] [Bug 1101] New: MSSQL TDS traffic no longer parses well. Maybe

Date: Thu, 14 Sep 2006 04:25:45 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1101

           Summary: MSSQL TDS traffic no longer parses well. Maybe due to
                    MSSQL 2005?
           Product: Wireshark
           Version: 0.99.3
          Platform: PC
        OS/Version: Windows Server 2003
            Status: NEW
          Severity: Enhancement
          Priority: Medium
         Component: Wireshark
        AssignedTo: wireshark-bugs@xxxxxxxxxxxxx
        ReportedBy: mwreynolds@xxxxxxxxx


I used to enjoy the high quality of TDS parsing/disecting that was possible on
MSSQL traffic. Based on that fact I put together an elaborate fake SQL backed
application in order to create some sample/instructive traces, only to find
that the traffic does not parse well in numerous regards. I am using MSSQL 2005
on the server and old fashioned ADO vbscript on the client. Could they have
changed the wire protocol for SQL Server 2005? (weird that old clients still
work)

Anyway, it would be extremely helpful to me and others if some industrious
parser/dissector developer were to bring the the TDS parser up to date or
otherwise get this parsing better.

Several frames show up as generic TDS, or unknown TDS packet types. Oddest of
all, most or all of the qeury packets show up not as TDS at all, but as TCP
segment of a reassembled PDU, which is strange given that the queries don't
span more than one frame, and consequently don't appear to be reassembled
anywhere.

Some examples follow. Additional captures and examples readily available via
email.

No.     Time            Source                Destination           Protocol
Info
     12 20:45:40.616053 10.1.1.104            10.1.1.30             TDS     
Unknown Packet Type: 23

Frame 12 (351 bytes on wire, 351 bytes captured)
    Arrival Time: Sep 13, 2006 20:45:40.616053000
    [Time delta from previous packet: 0.056037000 seconds]
    [Time since reference or first frame: 5.659303000 seconds]
    Frame Number: 12
    Packet Length: 351 bytes
    Capture Length: 351 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp:tds:data]
Ethernet II, Src: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6), Dst: Microsof_af:2d:eb
(00:03:ff:af:2d:eb)
    Destination: Microsof_af:2d:eb (00:03:ff:af:2d:eb)
        Address: Microsof_af:2d:eb (00:03:ff:af:2d:eb)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: This is
a FACTORY DEFAULT address
    Source: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6)
        Address: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: This is
a FACTORY DEFAULT address
    Type: IP (0x0800)
Internet Protocol, Src: 10.1.1.104 (10.1.1.104), Dst: 10.1.1.30 (10.1.1.30)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 337
    Identification: 0x13ce (5070)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xcf51 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.1.1.104 (10.1.1.104)
    Destination: 10.1.1.30 (10.1.1.30)
Transmission Control Protocol, Src Port: 1274 (1274), Dst Port: ms-sql-s
(1433), Seq: 321, Ack: 699, Len: 297
    Source port: 1274 (1274)
    Destination port: ms-sql-s (1433)
    Sequence number: 321    (relative sequence number)
    [Next sequence number: 618    (relative sequence number)]
    Acknowledgement number: 699    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 64837
    Checksum: 0xf7e6 [correct]
    TCP segment data (40 bytes)
Tabular Data Stream
    Type: Unknown (0x17)
    Status: Attention request (3)
    Size: 257
    Channel: 9397
    Packet Number: 238
    Window: 91
    Data (249 bytes)

0000  00 03 ff af 2d eb 00 03 ff 2f 8e b6 08 00 45 00   ....-..../....E.
0010  01 51 13 ce 40 00 80 06 cf 51 0a 01 01 68 0a 01   [email protected]..
0020  01 1e 04 fa 05 99 fe ad e9 b7 95 94 ec 0b 50 18   ..............P.
0030  fd 45 f7 e6 00 00 17 03 01 01 24 b5 ee 5b eb ab   .E........$..[..
0040  4c f7 4e b3 b2 30 38 d0 9f 25 ae 29 16 13 95 72   L.N..08..%.)...r
0050  4f 5d 6e 4b d3 7e a7 b1 00 3f 84 f3 a3 65 f4 5c   O]nK.~...?...e.\
0060  71 b5 f7 9a 1e 8a 31 28 2c d0 45 84 ab 4a 91 d6   q.....1(,.E..J..
0070  75 79 e0 55 99 78 a9 64 0b 11 53 bc 2f e3 3c 30   uy.U.x.d..S./.<0
0080  46 55 fe 0b 42 a2 80 22 11 c1 dc 6d 44 bd 29 62   FU..B.."...mD.)b
0090  0a ec 9c 1c 58 68 b8 10 24 2c 4d 2e d4 6e c3 86   ....Xh..$,M..n..
00a0  ae ae c1 7d 3f 98 e7 75 e4 1a 41 61 9d 53 ae 2e   ...}?..u..Aa.S..
00b0  d4 05 34 a1 fa b4 0d b2 93 32 bc e5 d1 0f 30 96   ..4......2....0.
00c0  d1 71 b1 1d 3f 12 f6 eb 13 f1 e0 d1 eb fd dd be   .q..?...........
00d0  78 c5 7e f4 24 7c 35 9f 77 1c 68 a6 a5 81 71 e9   x.~.$|5.w.h...q.
00e0  b8 4f 15 a6 66 af f0 cb 27 ec a8 38 c2 cf 23 cd   .O..f...'..8..#.
00f0  74 f1 99 75 cf 84 22 ec 58 85 83 07 71 7f f5 ad   t..u..".X...q...
0100  d9 be a7 01 38 f9 11 af bc 5b f3 7f 10 d4 f5 b1   ....8....[......
0110  c9 62 61 86 5c 53 54 9f 3d 30 c9 2e 6a ca dc 76   .ba.\ST.=0..j..v
0120  2b e4 57 89 54 a3 a8 67 b5 33 9b 02 58 d9 7b cf   +.W.T..g.3..X.{.
0130  a8 0c 29 38 51 e6 0b 26 34 b7 86 e0 78 e7 b7 2a   ..)8Q..&4...x..*
0140  91 d5 e2 ec fd a8 e6 b0 28 e9 90 5a ed 9a 31 45   ........(..Z..1E
0150  0f 29 40 46 fa 7f c3 4c 93 eb f2 49 bc d3 1b      .)@F...L...I...


No.     Time            Source                Destination           Protocol
Info
     14 20:45:40.629007 10.1.1.104            10.1.1.30             TCP     
[TCP segment of a reassembled PDU]

Frame 14 (366 bytes on wire, 366 bytes captured)
    Arrival Time: Sep 13, 2006 20:45:40.629007000
    [Time delta from previous packet: 0.010377000 seconds]
    [Time since reference or first frame: 5.672257000 seconds]
    Frame Number: 14
    Packet Length: 366 bytes
    Capture Length: 366 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp]
Ethernet II, Src: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6), Dst: Microsof_af:2d:eb
(00:03:ff:af:2d:eb)
    Destination: Microsof_af:2d:eb (00:03:ff:af:2d:eb)
        Address: Microsof_af:2d:eb (00:03:ff:af:2d:eb)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: This is
a FACTORY DEFAULT address
    Source: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6)
        Address: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6)
        .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame
        .... ..0. .... .... .... .... = Locally Administrated Address: This is
a FACTORY DEFAULT address
    Type: IP (0x0800)
Internet Protocol, Src: 10.1.1.104 (10.1.1.104), Dst: 10.1.1.30 (10.1.1.30)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 352
    Identification: 0x13cf (5071)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0xcf41 [correct]
        [Good: True]
        [Bad : False]
    Source: 10.1.1.104 (10.1.1.104)
    Destination: 10.1.1.30 (10.1.1.30)
Transmission Control Protocol, Src Port: 1274 (1274), Dst Port: ms-sql-s
(1433), Seq: 618, Ack: 1128, Len: 312
    Source port: 1274 (1274)
    Destination port: ms-sql-s (1433)
    Sequence number: 618    (relative sequence number)
    [Next sequence number: 930    (relative sequence number)]
    Acknowledgement number: 1128    (relative ack number)
    Header length: 20 bytes
    Flags: 0x0018 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgment: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 64408
    Checksum: 0x2f97 [correct]
    TCP segment data (312 bytes)

0000  00 03 ff af 2d eb 00 03 ff 2f 8e b6 08 00 45 00   ....-..../....E.
0010  01 60 13 cf 40 00 80 06 cf 41 0a 01 01 68 0a 01   .`[email protected]..
0020  01 1e 04 fa 05 99 fe ad ea e0 95 94 ed b8 50 18   ..............P.
0030  fb 98 2f 97 00 00 01 01 01 38 00 00 01 00 53 00   ../......8....S.
0040  45 00 4c 00 45 00 43 00 54 00 20 00 45 00 6d 00   E.L.E.C.T. .E.m.
0050  70 00 6c 00 6f 00 79 00 65 00 65 00 49 00 44 00   p.l.o.y.e.e.I.D.
0060  2c 00 20 00 4c 00 6f 00 67 00 69 00 6e 00 49 00   ,. .L.o.g.i.n.I.
0070  44 00 2c 00 20 00 54 00 69 00 74 00 6c 00 65 00   D.,. .T.i.t.l.e.
0080  2c 00 20 00 4d 00 61 00 72 00 69 00 74 00 61 00   ,. .M.a.r.i.t.a.
0090  6c 00 53 00 74 00 61 00 74 00 75 00 73 00 2c 00   l.S.t.a.t.u.s.,.
00a0  20 00 47 00 65 00 6e 00 64 00 65 00 72 00 2c 00    .G.e.n.d.e.r.,.
00b0  20 00 56 00 61 00 63 00 61 00 74 00 69 00 6f 00    .V.a.c.a.t.i.o.
00c0  6e 00 48 00 6f 00 75 00 72 00 73 00 2c 00 20 00   n.H.o.u.r.s.,. .
00d0  4d 00 6f 00 64 00 69 00 66 00 69 00 65 00 64 00   M.o.d.i.f.i.e.d.
00e0  44 00 61 00 74 00 65 00 20 00 46 00 52 00 4f 00   D.a.t.e. .F.R.O.
00f0  4d 00 20 00 48 00 75 00 6d 00 61 00 6e 00 52 00   M. .H.u.m.a.n.R.
0100  65 00 73 00 6f 00 75 00 72 00 63 00 65 00 73 00   e.s.o.u.r.c.e.s.
0110  2e 00 45 00 6d 00 70 00 6c 00 6f 00 79 00 65 00   ..E.m.p.l.o.y.e.
0120  65 00 20 00 57 00 48 00 45 00 52 00 45 00 20 00   e. .W.H.E.R.E. .
0130  54 00 69 00 74 00 6c 00 65 00 3d 00 27 00 43 00   T.i.t.l.e.=.'.C.
0140  68 00 69 00 65 00 66 00 20 00 45 00 78 00 65 00   h.i.e.f. .E.x.e.
0150  63 00 75 00 74 00 69 00 76 00 65 00 20 00 4f 00   c.u.t.i.v.e. .O.
0160  66 00 66 00 69 00 63 00 65 00 72 00 27 00         f.f.i.c.e.r.'.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.