OSQA is unmaintained. Help us figure out where to go from here.

Hi All,

Just found the following thread on TNS dissecting... is it still there or TNS dissecting has been made possible by now? https://www.wireshark.org/lists/wireshark-users/201205/msg00022.html

Here's the SQL transaction that I'd like dissected if possible: h̶t̶t̶p̶s̶:̶/̶/̶d̶r̶i̶v̶e̶.̶g̶o̶o̶g̶l̶e̶.̶c̶o̶m̶/̶o̶p̶e̶n̶?̶i̶d̶=̶0̶B̶3̶1̶e̶4̶7̶U̶c̶q̶t̶4̶B̶d̶m̶t̶t̶a̶G̶R̶s̶c̶j̶E̶3̶Q̶k̶U̶

Update: Correct trace this time: https://drive.google.com/open?id=0B31e47Ucqt4BaHY3dDRHczBVWDA

Many thanks in anticipation!

asked 11 Apr, 10:11

Dmitriy's gravatar image

Dmitriy
215711
accept rate: 0%

edited 12 Apr, 09:08


Uhm... I see no TNS traffic in your capture file.

However, the TNS dissector has been updated recently, if you download an automated built version from https://www.wireshark.org/download/automated/ you can see whether your TNS traffic is dissected now. Beware that the automated built versions could be buggy as are built after adding new code to the git repository.

permanent link

answered 12 Apr, 06:05

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

SYN-bit:

Thanks for your reply. I'd need my other laptop to try an automated built version as you advised (will do it soon); meanwhile is your Wireshark not showing the same as mine in this screenshot here? https://drive.google.com/open?id=0B31e47Ucqt4BaFJub1lXdXkycXM

(12 Apr, 06:18) Dmitriy

I see a SOAP query over HTTP in your capture. I suspect you've uploaded or provided a link to, the "wrong" capture.

(12 Apr, 06:42) grahamb ♦

Sorry is this one any better? https://drive.google.com/open?id=0B31e47Ucqt4BaHY3dDRHczBVWDA (just noticed I had another trace with HTTP POST in it nearby, so I must've supplied a link to it by mistake)

(12 Apr, 08:02) Dmitriy

This is how the current code base dissects TNS:

screenshot

The specific function numbers are now dissecteed, but for dissecting the SQL queries and response data the dissector would need to be extended some more.

permanent link

answered 12 Apr, 08:55

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

SYN-bit:

"for dissecting the SQL queries and response data the dissector would need to be extended some more" - that's exactly what I'm after ideally. Is it realistic based on the time/effort required?

(12 Apr, 09:04) Dmitriy

Not sure what you mean by "realistic" but it would need someone to take interest in writing the code AND this person would need to have access to a lot of different TNS tracefiles to test the code against (TNS is a proprietary protocol so there are no protocol definitions to work from and everything needs to be reverse engineered).

(12 Apr, 09:11) SYN-bit ♦♦

Are dictionaries applicable here? I have some experience tailoring RADIUS/DIAMETER ones to our specific requirements and would be happy to contribute by means of developing a custom TNS dictionary based on the traces with our queries (unfortunately I can't do any coding)... if that helps at all.

(12 Apr, 10:23) Dmitriy

Nope, the TNS dissector does not use any dictionaries. But if you are able to create capture files with all kinds of variations of the protocol with descriptions of what means what in the tracefiles, I could help write the C code to implement it.

(14 Apr, 00:32) SYN-bit ♦♦

Sorry what I implied was if it's possible to make that TNS dissector use dictionaries, which could then be tailored by the users to suit their needs (like other dictionaries such as RADIUS/DIAMETER ones): I thought that'd help remove the need to cover all kinds of variations at the time of working on dissector code. Meanwhile I could try obtaining various traces from our lab but doubt it'll cover all kinds of variations that exist. SQL/TNS is just one of many interfaces in our current project that I need to test as part of my job.

(14 Apr, 04:31) Dmitriy

OK I've just requested our 3rd party partner who supply their own DB for our project to supply requested traces along with the comments. It'll take them a while, so I'll be back when ready.

(21 Apr, 04:48) Dmitriy

An enhancement request should be made for this on the Wireshark Bugzilla, and any captures and comments attached to it.

(21 Apr, 08:38) grahamb ♦

Sure: I'll take care of that.

(21 Apr, 08:59) Dmitriy
showing 5 of 8 show 3 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×3

question asked: 11 Apr, 10:11

question was seen: 375 times

last updated: 21 Apr, 08:59

p​o​w​e​r​e​d by O​S​Q​A