Wireshark-bugs: [Wireshark-bugs] [Bug 1101] New: MSSQL TDS traffic no longer parses well. Maybe
Date: Thu, 14 Sep 2006 04:25:45 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=1101 Summary: MSSQL TDS traffic no longer parses well. Maybe due to MSSQL 2005? Product: Wireshark Version: 0.99.3 Platform: PC OS/Version: Windows Server 2003 Status: NEW Severity: Enhancement Priority: Medium Component: Wireshark AssignedTo: wireshark-bugs@xxxxxxxxxxxxx ReportedBy: mwreynolds@xxxxxxxxx I used to enjoy the high quality of TDS parsing/disecting that was possible on MSSQL traffic. Based on that fact I put together an elaborate fake SQL backed application in order to create some sample/instructive traces, only to find that the traffic does not parse well in numerous regards. I am using MSSQL 2005 on the server and old fashioned ADO vbscript on the client. Could they have changed the wire protocol for SQL Server 2005? (weird that old clients still work) Anyway, it would be extremely helpful to me and others if some industrious parser/dissector developer were to bring the the TDS parser up to date or otherwise get this parsing better. Several frames show up as generic TDS, or unknown TDS packet types. Oddest of all, most or all of the qeury packets show up not as TDS at all, but as TCP segment of a reassembled PDU, which is strange given that the queries don't span more than one frame, and consequently don't appear to be reassembled anywhere. Some examples follow. Additional captures and examples readily available via email. No. Time Source Destination Protocol Info 12 20:45:40.616053 10.1.1.104 10.1.1.30 TDS Unknown Packet Type: 23 Frame 12 (351 bytes on wire, 351 bytes captured) Arrival Time: Sep 13, 2006 20:45:40.616053000 [Time delta from previous packet: 0.056037000 seconds] [Time since reference or first frame: 5.659303000 seconds] Frame Number: 12 Packet Length: 351 bytes Capture Length: 351 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp:tds:data] Ethernet II, Src: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6), Dst: Microsof_af:2d:eb (00:03:ff:af:2d:eb) Destination: Microsof_af:2d:eb (00:03:ff:af:2d:eb) Address: Microsof_af:2d:eb (00:03:ff:af:2d:eb) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Source: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6) Address: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Type: IP (0x0800) Internet Protocol, Src: 10.1.1.104 (10.1.1.104), Dst: 10.1.1.30 (10.1.1.30) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 337 Identification: 0x13ce (5070) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0xcf51 [correct] [Good: True] [Bad : False] Source: 10.1.1.104 (10.1.1.104) Destination: 10.1.1.30 (10.1.1.30) Transmission Control Protocol, Src Port: 1274 (1274), Dst Port: ms-sql-s (1433), Seq: 321, Ack: 699, Len: 297 Source port: 1274 (1274) Destination port: ms-sql-s (1433) Sequence number: 321 (relative sequence number) [Next sequence number: 618 (relative sequence number)] Acknowledgement number: 699 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 64837 Checksum: 0xf7e6 [correct] TCP segment data (40 bytes) Tabular Data Stream Type: Unknown (0x17) Status: Attention request (3) Size: 257 Channel: 9397 Packet Number: 238 Window: 91 Data (249 bytes) 0000 00 03 ff af 2d eb 00 03 ff 2f 8e b6 08 00 45 00 ....-..../....E. 0010 01 51 13 ce 40 00 80 06 cf 51 0a 01 01 68 0a 01 [email protected].. 0020 01 1e 04 fa 05 99 fe ad e9 b7 95 94 ec 0b 50 18 ..............P. 0030 fd 45 f7 e6 00 00 17 03 01 01 24 b5 ee 5b eb ab .E........$..[.. 0040 4c f7 4e b3 b2 30 38 d0 9f 25 ae 29 16 13 95 72 L.N..08..%.)...r 0050 4f 5d 6e 4b d3 7e a7 b1 00 3f 84 f3 a3 65 f4 5c O]nK.~...?...e.\ 0060 71 b5 f7 9a 1e 8a 31 28 2c d0 45 84 ab 4a 91 d6 q.....1(,.E..J.. 0070 75 79 e0 55 99 78 a9 64 0b 11 53 bc 2f e3 3c 30 uy.U.x.d..S./.<0 0080 46 55 fe 0b 42 a2 80 22 11 c1 dc 6d 44 bd 29 62 FU..B.."...mD.)b 0090 0a ec 9c 1c 58 68 b8 10 24 2c 4d 2e d4 6e c3 86 ....Xh..$,M..n.. 00a0 ae ae c1 7d 3f 98 e7 75 e4 1a 41 61 9d 53 ae 2e ...}?..u..Aa.S.. 00b0 d4 05 34 a1 fa b4 0d b2 93 32 bc e5 d1 0f 30 96 ..4......2....0. 00c0 d1 71 b1 1d 3f 12 f6 eb 13 f1 e0 d1 eb fd dd be .q..?........... 00d0 78 c5 7e f4 24 7c 35 9f 77 1c 68 a6 a5 81 71 e9 x.~.$|5.w.h...q. 00e0 b8 4f 15 a6 66 af f0 cb 27 ec a8 38 c2 cf 23 cd .O..f...'..8..#. 00f0 74 f1 99 75 cf 84 22 ec 58 85 83 07 71 7f f5 ad t..u..".X...q... 0100 d9 be a7 01 38 f9 11 af bc 5b f3 7f 10 d4 f5 b1 ....8....[...... 0110 c9 62 61 86 5c 53 54 9f 3d 30 c9 2e 6a ca dc 76 .ba.\ST.=0..j..v 0120 2b e4 57 89 54 a3 a8 67 b5 33 9b 02 58 d9 7b cf +.W.T..g.3..X.{. 0130 a8 0c 29 38 51 e6 0b 26 34 b7 86 e0 78 e7 b7 2a ..)8Q..&4...x..* 0140 91 d5 e2 ec fd a8 e6 b0 28 e9 90 5a ed 9a 31 45 ........(..Z..1E 0150 0f 29 40 46 fa 7f c3 4c 93 eb f2 49 bc d3 1b .)@F...L...I... No. Time Source Destination Protocol Info 14 20:45:40.629007 10.1.1.104 10.1.1.30 TCP [TCP segment of a reassembled PDU] Frame 14 (366 bytes on wire, 366 bytes captured) Arrival Time: Sep 13, 2006 20:45:40.629007000 [Time delta from previous packet: 0.010377000 seconds] [Time since reference or first frame: 5.672257000 seconds] Frame Number: 14 Packet Length: 366 bytes Capture Length: 366 bytes [Frame is marked: False] [Protocols in frame: eth:ip:tcp] Ethernet II, Src: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6), Dst: Microsof_af:2d:eb (00:03:ff:af:2d:eb) Destination: Microsof_af:2d:eb (00:03:ff:af:2d:eb) Address: Microsof_af:2d:eb (00:03:ff:af:2d:eb) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Source: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6) Address: Microsof_2f:8e:b6 (00:03:ff:2f:8e:b6) .... ...0 .... .... .... .... = Multicast: This is a UNICAST frame .... ..0. .... .... .... .... = Locally Administrated Address: This is a FACTORY DEFAULT address Type: IP (0x0800) Internet Protocol, Src: 10.1.1.104 (10.1.1.104), Dst: 10.1.1.30 (10.1.1.30) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 352 Identification: 0x13cf (5071) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 128 Protocol: TCP (0x06) Header checksum: 0xcf41 [correct] [Good: True] [Bad : False] Source: 10.1.1.104 (10.1.1.104) Destination: 10.1.1.30 (10.1.1.30) Transmission Control Protocol, Src Port: 1274 (1274), Dst Port: ms-sql-s (1433), Seq: 618, Ack: 1128, Len: 312 Source port: 1274 (1274) Destination port: ms-sql-s (1433) Sequence number: 618 (relative sequence number) [Next sequence number: 930 (relative sequence number)] Acknowledgement number: 1128 (relative ack number) Header length: 20 bytes Flags: 0x0018 (PSH, ACK) 0... .... = Congestion Window Reduced (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 1... = Push: Set .... .0.. = Reset: Not set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Window size: 64408 Checksum: 0x2f97 [correct] TCP segment data (312 bytes) 0000 00 03 ff af 2d eb 00 03 ff 2f 8e b6 08 00 45 00 ....-..../....E. 0010 01 60 13 cf 40 00 80 06 cf 41 0a 01 01 68 0a 01 .`[email protected].. 0020 01 1e 04 fa 05 99 fe ad ea e0 95 94 ed b8 50 18 ..............P. 0030 fb 98 2f 97 00 00 01 01 01 38 00 00 01 00 53 00 ../......8....S. 0040 45 00 4c 00 45 00 43 00 54 00 20 00 45 00 6d 00 E.L.E.C.T. .E.m. 0050 70 00 6c 00 6f 00 79 00 65 00 65 00 49 00 44 00 p.l.o.y.e.e.I.D. 0060 2c 00 20 00 4c 00 6f 00 67 00 69 00 6e 00 49 00 ,. .L.o.g.i.n.I. 0070 44 00 2c 00 20 00 54 00 69 00 74 00 6c 00 65 00 D.,. .T.i.t.l.e. 0080 2c 00 20 00 4d 00 61 00 72 00 69 00 74 00 61 00 ,. .M.a.r.i.t.a. 0090 6c 00 53 00 74 00 61 00 74 00 75 00 73 00 2c 00 l.S.t.a.t.u.s.,. 00a0 20 00 47 00 65 00 6e 00 64 00 65 00 72 00 2c 00 .G.e.n.d.e.r.,. 00b0 20 00 56 00 61 00 63 00 61 00 74 00 69 00 6f 00 .V.a.c.a.t.i.o. 00c0 6e 00 48 00 6f 00 75 00 72 00 73 00 2c 00 20 00 n.H.o.u.r.s.,. . 00d0 4d 00 6f 00 64 00 69 00 66 00 69 00 65 00 64 00 M.o.d.i.f.i.e.d. 00e0 44 00 61 00 74 00 65 00 20 00 46 00 52 00 4f 00 D.a.t.e. .F.R.O. 00f0 4d 00 20 00 48 00 75 00 6d 00 61 00 6e 00 52 00 M. .H.u.m.a.n.R. 0100 65 00 73 00 6f 00 75 00 72 00 63 00 65 00 73 00 e.s.o.u.r.c.e.s. 0110 2e 00 45 00 6d 00 70 00 6c 00 6f 00 79 00 65 00 ..E.m.p.l.o.y.e. 0120 65 00 20 00 57 00 48 00 45 00 52 00 45 00 20 00 e. .W.H.E.R.E. . 0130 54 00 69 00 74 00 6c 00 65 00 3d 00 27 00 43 00 T.i.t.l.e.=.'.C. 0140 68 00 69 00 65 00 66 00 20 00 45 00 78 00 65 00 h.i.e.f. .E.x.e. 0150 63 00 75 00 74 00 69 00 76 00 65 00 20 00 4f 00 c.u.t.i.v.e. .O. 0160 66 00 66 00 69 00 63 00 65 00 72 00 27 00 f.f.i.c.e.r.'. -- Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
- Follow-Ups:
- [Wireshark-bugs] [Bug 1101] MSSQL TDS traffic no longer parses well. Maybe due to MSSQL 2005?
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 1101] MSSQL TDS traffic no longer parses well. Maybe due to MSSQL 2005?
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 1101] MSSQL TDS traffic no longer parses well. Maybe due to MSSQL 2005?
- From: bugzilla-daemon
- [Wireshark-bugs] [Bug 1101] MSSQL TDS traffic no longer parses well. Maybe due to MSSQL 2005?
- Prev by Date: [Wireshark-bugs] [Bug 1099] Fatal: Could not acquire crypto context from Windows.
- Next by Date: [Wireshark-bugs] [Bug 1101] MSSQL TDS traffic no longer parses well. Maybe due to MSSQL 2005?
- Previous by thread: [Wireshark-bugs] [Bug 1100] IO Graphs: Display filter colour syntax highlighting no longer shows
- Next by thread: [Wireshark-bugs] [Bug 1101] MSSQL TDS traffic no longer parses well. Maybe due to MSSQL 2005?
- Index(es):