Sniffing specific TDS messages (with some broader implications)

asked 2023-09-13 10:39:40 +0000

LoZio gravatar image

Hi, I have to distinguish incoming SQL server connections on a host, sorting out encrypted ones and clear-text ones. I sampled two captures and saw that after the initial part that uses TLS also for the unencrypted connection (maybe password transfer?) the capture is of course different. In the clear text one I can see the TDS data back and forth. So, given that I have lots of hosts connecting to the server and a lot of data flowing, I was trying to find out a way to only sniff packets containing specific TDS packets, for example "Remote Procedure Call" that only exist in the clear-text ones.I'm not looking for a visualization filter, as in that case I have to sniff a ton of traffic killing the server. I would like to capture only those packets, so that I can see which clients are still using not encrypted connections. I have no way to interact with the DBA for this task, so I need to go to the wire. Thanks

edit retag flag offensive close merge delete

Comments

There is a sample capture on the wiki (MS SQL Server protocol - Tabular Data Stream (TDS)) or can you provide a sample capture?

There will probably be some false positives for the encrypted connections but could you filter on the port number and the first TCP byte being a 3?
Type: Remote Procedure Call (3)

Chuckc gravatar imageChuckc ( 2023-09-13 11:36:31 +0000 )edit

The capture you linked contains data similar to mine so it is a valid example. Do you suggest something like

tcp.payload[0:1] == 03

This is a valid filter for display and actually gets the correct packets but I need a capture filter, not a display one. Thanks

LoZio gravatar imageLoZio ( 2023-09-13 11:46:12 +0000 )edit

Maybe something like this seems correct?

tcp[((tcp[12:1] & 0xf0) >> 2):1] = 0x03

Adapting an example on https://wiki.wireshark.org/CaptureFil... First part should skip the tcp header, then there is my single byte

LoZio gravatar imageLoZio ( 2023-09-13 11:48:59 +0000 )edit

Yes, that is very similar to the filter generated by the utility String-Matching Capture Filter Generator

You might want to add the port number to the filter like in this Wiki example:

port 80 and tcp[((tcp[12:1] & 0xf0) >> 2):4] = 0x47455420
Chuckc gravatar imageChuckc ( 2023-09-14 01:33:44 +0000 )edit

Of course I'll add the port and protocol filter (tcp port 1433) and will filter out the "good" hosts as soon as I find them. I didn't know about the tool you linked, thank you!

LoZio gravatar imageLoZio ( 2023-09-14 06:04:46 +0000 )edit