How can I decode SQL Server traffic with wireshark?

sql-server wireshark
41,925

Solution 1

Edit (2017-05-02): Microsoft Network Monitor - has been replaced by Microsoft Message Analyzer - which serves the same purpose. See also comment below this answer or the answer further down for how to use it!

Note: Microsoft Message Analyzer was deprecated in late 2019, and is no longer available for download.

Original Answer

There is another much underrated tool from Microsoft itself: 'Microsoft Network Monitor'. Basically this is very similar to wireshark with the exception that some specific MS protocols have better parser and visualisation support than wireshark itself and obviously it would only run under windows ;-).

The tool is quite old and looks abandoned (havn't seen a newer release so far) but still does an good job and the grammar for defining new protocols is quite neat/interesting - so this still possess a lot of power for the future. mnm 3.4 about dialog

Analysis Example - Recording is filtered for TDS - so the other packets are discared mostly:

Example Session for TDS (MSSQL)

This is also true for sql server connections. The MNM can even visualize the resultsets going over the wire - quite neat. Nonetheless wireshark as mentioned above would be sufficient to validate encryption and applied certificates on the wire itself. Means it can understand the TDS-Protocoll fully.

Handling TLS

Also with an extension (so called experts) 'NmDecrypt' and the right certificates (including private keys) - it is possible to decrypt protocolls - quite nice for TDS which uses TLS INSIDE of TDS - no wonder - no one has really implemented that yet as a fully supported protocoll for wireshark ;)

So far - regarding MSSQL-Traffic - or to be more precice TDS-Protocol this is the best tool I've come across so far. Wireshark is cool - but in this case MNM is 'better'. Have phun! ;)

Links for the tools:

Solution 2

Not wireshark, but for me the Microsoft Message Analyzer worked great for that.

To get all the sent commands

  1. Start a new session
  2. Add Live Trace as as Data Source
  3. Select Scenario (I chose Local Network Interfaces)
  4. Enter a session filter expression like *address == 10.1.2.129 to filter only traffic to your sql server.
  5. Click start
  6. Right click on column header in the massage table and select Add columns...
  7. Add TDS > SQLBatch > SqlBatchPacketData > SQLText

This should give you something like the following enter image description here

Unfortunately there is no autoscroll implemented at the moment, but you can sort by timestamp and have the new queries popping up at the top.

Solution 3

The question that you are refering to is how to prove that the traffic is encrypted.

So they were using wireshark to show that you could not read it.

The encryption was weak on earlier versions of SQL server, but I don't think that it is easy to decrypt SQL Server 2005 traffic.

Solution 4

Wireshark decodes and shows you captured data when understand the protocol (and layer). That means the captured data isn't encripted. If the data is encripted (SSL, ie), WS will only show SSL handshakes and raw data.

Share:
41,925
Pete
Author by

Pete

Updated on March 22, 2021

Comments

  • Pete
    Pete about 3 years

    I can capture the packets using wireshark, but I can't decode the stream into anything intelligible.

    This item in the WireShark bug database suggests that maybe this isn't possible in SQL Server 2005 or newer. But several people on Stack Overflow claimed this was a good method in answers to this question:

    How to validate SQL Server traffic is encrypted?

    Any help appreciated.

  • Pete
    Pete over 14 years
    But the question is, how did they prove that it was encrypted? You need to decode the TDS stream and it is not obvious (to me at least) how to do this in wireshark.
  • David Ching
    David Ching about 9 years
    MS Network Monitor has been replaced with Microsoft Message Analyzer and it indeed does nicely decrypt the TLS within TDS (NMDecrypt isn't required).
  • dalini
    dalini over 7 years
    This is wrong, as the MS-SQL-Protocol in use does SSL/TLS inside the protocol itself not on the outer most layer, which is quite common. So this is wrong in this case and won't indicate the correct answer if looking for ssl handshakes - there are never any in this case!
  • Evan Mulawski
    Evan Mulawski over 4 years
    This product is now deprecated with no replacement.
  • Evan Mulawski
    Evan Mulawski over 4 years
    This product is now deprecated with no replacement.
  • dalini
    dalini over 4 years
    to bad! was a neat tool... rip microsoft message analyzer - but well most probably to much effort in parallel existence of wireshark - question there: can wireshark by now decode TDS properly? really cool the scripting stuff for each protocol step... but well

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do I filter SQL Server traffic between app and DB servers using Wireshark?
Converting image files to VARBINARY(max) in flutter
Creating Flutter Web Server that connects to an SQL server
Using SQL Server with Dart
How to connect easypaisa/jazzcash payment gateway in flutter?
Set a Value in Verbal using sql
How to connect Flutter app to SQL Server to send queries
How to connect to SQL Server with Flutter?
Flutter with Azure API connecting to SQL SERVER DB
Restore a backup file on AWS RDS SQL Server from S3 bucket