Ask Your Question

Revision history [back]

Sniffing specific TDS messages (with some broader implications)

Hi, I have to distinguish incoming SQL server connections on a host, sorting out encrypted ones and clear-text ones. I sampled two captures and saw that after the initial part that uses TLS also for the unencrypted connection (maybe password transfer?) the capture is of course different. In the clear text one I can see the TDS data back and forth. So, given that I have lots of hosts connecting to the server and a lot of data flowing, I was trying to find out a way to only sniff packets containing specific TDS packets, for example "Remote Procedure Call" that only exist in the clear-text ones.I'm not looking for a visualization filter, as in that case I have to sniff a ton of traffic killing the server. I would like to capture only those packets, so that I can see which clients are still using not encrypted connections. I have no way to interact with the DBA for this task, so I need to go to the wire. Thanks