Ask Your Question
0

Why wireshark failed to decode prelogin message in tds protocol

asked 2024-03-06 14:10:47 +0000

TDS gravatar image

updated 2024-03-06 14:22:36 +0000

Chuckc gravatar image

Wireshark failed to decode the prelogin message with TDS protocol. Below is the package data. The prelogin message was decoded as Data.

Packet comments
Frame 4528: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits) on interface eth:5:0, id 0 (outbound)
Ethernet II, Src: xxxx15:fe:72 (00:xx:xx:15:fe:72), Dst: 12:34:56:78:9a:bc (12:34:56:78:9a:bc)
Internet Protocol Version 4, Src: 10.xx.0.x8, Dst: xx.1xx.2xx.1
Transmission Control Protocol, Src Port: 1466, Dst Port: 1433, Seq: 1, Ack: 1, Len: 94
Tabular Data Stream
    Type: TDS7 pre-login message (18)
    Status: 0x01, End of message
        .... ...1 = End of message: True
        .... ..0. = Ignore this event: False
        .... .0.. = Event notification: False
        .... 0... = Reset connection: False
        ...0 .... = Reset connection keeping transaction state: False
    Length: 94
    Channel: 0
    Packet Number: 1
    Window: 0
    Data (86 bytes)
        Data: 000024000601002a000102002b000103002c0004040030000105003100240600550001ff04081252000001000001397c005363526ed6eae44faa28695c803ba6b8527b3c7cab692b4a96b0d698c7a15d890201000001
        [Length: 86]
edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2024-03-06 14:20:46 +0000

TDS gravatar image

updated 2024-03-07 03:55:24 +0000

Chuckc gravatar image

I found that tshark.exe can parse the data in correct format.

"C:\Program Files\Wireshark\tshark.exe"  -r NetworkTrace.pcapng  -Y "tds.type==18 && !tls" -T fields -e frame.time_utc -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport  -e tds.prelogin.option.traceid -E header=y -E separator=, -E quote=d -E occurrence=f
frame.time_utc,ip.src,tcp.srcport,ip.dst,tcp.dstport,tds.prelogin.option.traceid
"Mar  4, 2024 23:58:32.867157000 UTC","10.xx.0.xx","1466","xx.1xx.xxx.1","1433","5363526ed6eae44faa28695c803ba6b8527b3c7cab692b4a96b0d698c7a15d8902010000"
edit flag offensive delete link more

Comments

That doesn't fix the problem for Wireshark. If Wireshark isn't showing the tds.prelogin.option.traceid field, please report this as a bug on the Wireshark issues list, with a capture attached, so that we can fix this so that nobody else has this problem.

Guy Harris gravatar imageGuy Harris ( 2024-03-07 05:44:59 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2024-03-06 14:10:47 +0000

Seen: 102 times

Last updated: Mar 07

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2