Sniffing specific TDS messages (with some broader implications)
Hi, I have to distinguish incoming SQL server connections on a host, sorting out encrypted ones and clear-text ones. I sampled two captures and saw that after the initial part that uses TLS also for the unencrypted connection (maybe password transfer?) the capture is of course different. In the clear text one I can see the TDS data back and forth. So, given that I have lots of hosts connecting to the server and a lot of data flowing, I was trying to find out a way to only sniff packets containing specific TDS packets, for example "Remote Procedure Call" that only exist in the clear-text ones.I'm not looking for a visualization filter, as in that case I have to sniff a ton of traffic killing the server. I would like to capture only those packets, so that I can see which clients are still using not encrypted connections. I have no way to interact with the DBA for this task, so I need to go to the wire. Thanks
There is a sample capture on the wiki (MS SQL Server protocol - Tabular Data Stream (TDS)) or can you provide a sample capture?
There will probably be some false positives for the encrypted connections but could you filter on the port number and the first
TCP
byte being a3
?Type: Remote Procedure Call (3)
The capture you linked contains data similar to mine so it is a valid example. Do you suggest something like
This is a valid filter for display and actually gets the correct packets but I need a capture filter, not a display one. Thanks
Maybe something like this seems correct?
Adapting an example on https://wiki.wireshark.org/CaptureFil... First part should skip the tcp header, then there is my single byte
Yes, that is very similar to the filter generated by the utility String-Matching Capture Filter Generator
You might want to add the port number to the filter like in this Wiki example:
Of course I'll add the port and protocol filter (tcp port 1433) and will filter out the "good" hosts as soon as I find them. I didn't know about the tool you linked, thank you!