[prev in list] [next in list] [prev in thread] [next in thread]
List: winpcap-users
Subject: Re: [Winpcap-users] How to use WinpCap to capture SQL command send
From: "Lam Hong Bac" <lamhong.bac () gmail ! com>
Date: 2008-07-22 12:28:29
Message-ID: ab3fd01f0807220528q6553f80h508f698290d91c7a () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks Richard,
I know MS-SQL (2000) use TDS protocol, I found a document say about this (i
dont know if this is correct or not) if someone has other document about tds
packet or and a sample code to reassembly packet (thank a lot), please share
it. Hopefully, I can do my task. I post here the document of tds packet if
someone need it.
.............. we know MS SQL 2000 uses TDS 8.0 in its package. The packet
format is list as following:
--------------------------------------------------------
| TDS package header(8bytes) | TDS payload |
------------------------------------------------------
TDS package header:
-------------------------------------------------------------------
| TOKEN | STATUS | LENGTH | SIGNED NUM | PACKET NUM | WINDOW SIZE |
-------------------------------------------------------------------
The field TOKEN is one byte, which shows packet type. In this article, it is
0x12, which shows the request of ConnectionPreLogin to get some values, such
as the version of SQL Server. When SQL Server receives these kinds of
package, it will pass the package to function in SSlibnet.dll.
The STATUS field has one byte, 0x01 means it is last packet in the TDS
session.
The LENGTH field has two bytes, which is the length of TDS package include
the length of TDS header.
The SIGNED NUM field has two bytes, which is reserved now.
The PACKET NUM filed has one byte, which shows the sequence number in the
current TDS operation.
The WINDOW SIZE filed has one byte,which is reserved now.
When the TOKEN filed is 0x12, the format is:
----------------------------------------------------------------
| TDS package Header (8bytes) |Field Indicator Header| Information |
----------------------------------------------------------------
Field indicator Header is a table whose length is not fixed, each item
indicate the information of offset or length. General there are four filed
in MS SQL 2000, the structure of Field Indicator Header is list as
following:
{
BYTE CNETLIBVERNO;
WORD CNETLIBVEROFFSET;
WORD CNETLIBVERLEN;
BYTE CENYFLAGNO;
WORD CENYFLAGOFFSET;
WORD CENYFLAGLEN;
BYTE SINSTNAMENO;
WORD SINSTNAMEOFFSET;
WORD SINSTNAMELEN;
BYTE CTHREADIDNO;
WORD CTHREADIDOFFSET;
WORD CTHREADIDLEN;
BYTE FILEDEND;
}
The structure of information is list as following:
{
BYTE CNETLIBVER[CNETLIBVERLEN]
BYTE CENYFLAG[CENYFLAGLEN];
BYTE SINSTNAME[SINSTNAMELEN]
DWORD CTHREADID[CTHREADIDLEN];
}
Field:
CNETLIBVERNO
Offset:0
Length: 1
Meanings: The number about Version of NETLIB in client
Description:None
Remark:The value is 0x00 fixed
CNETLIBVEROFFSET
Offset:1
Length:2
Meanings:The Offset of NETLIB Version in client
Description:Network Byte Order
Remark:
CNETLIBVERLEN
Offset:3
Length:2
Meanings:The length of information about the version of NETLIB in client
Description:Network Byte Order
Remark:The value is 0x06 fixed
CENYFLAGNO
Offset:5
Length:1
Meanings:The number about flag of client encryption.
Description:
Remark:The value is 0x01 fixed
CENYFLAGOFFSET
Offset:6
Length:2
Meanings:The offset of flag of client encryption.
Description:Network Byte Order
Remark:
CENYFLAGLEN
Offset:8
Length:2
Meanings:The length of flag of client encryption.
Description:Network Byte Order
Remark:The value is 0x01 fixed
SINSTNAMENO
Offset:0XA
Length:1
Meanings:The number of server's instance name.
Description:
Remark: The value is 2 fixed.
SINSTNAMEOFFSET
Offset:0XB
Length:2
Meanings:The offset of of server's instance name.
Description:Network Byte Order
Remark:
SINSTNAMELEN
Offset:0XD
Length:2
Meanings: The length of server's instance name.
Description: Network Byte Order
Remark:
CTHREADIDNO
Offset:0XF
Length:1
Meanings:The number of the client's process.
Description:
Remark: The value is 3 Fixed
CTHREADIDOFFSET
Offset:0X10
Length: 2
Meanings: The offset of the client's process.
Description:Network Byte Order
Remark:
CTHREADIDLEN
Offset:0X12
Length:2
Meanings: The length of the client's process.
Description: Network Byte Order
Remark: The value is 4 fixed.
FILEDEND
Offset:0X14
Length:1
Meanings: This show that the Field Indicator Header is over,and the next is
the information
Description:The sign is 0XFF
Remark:
CNETLIBVER
Offset:0X15
Length:6
Meanings: The version of NETLIB
Description: The version of DBNETLIB.DLL
Remark: The format is Network Byte Order,For example,if the version is
80.528.00,then the fild is
08 00 02 10 00 00
CENYFLAG
Offset:0X1B
Length:1
Meanings: The flag of Client encryption.
Description:0 encrypt ,1 don't encrypt
Remark:
SINSTNAME
Offset:0X1C
Length:SINSTNAMELEN
Meanings: The instance name asked by client.
Description:
Remark:default is MSSQLserver
CTHREADID
Offset:0X1C+SINSTNAMELEN
Length:4
Meanings:The ID of client's process
Description: host Byte Order
............
Thanks
Bac
[Attachment #5 (text/html)]
<div>Thanks Richard,</div>
<div> </div>
<div>I know MS-SQL (2000) use TDS protocol, I found a document say about \
this (i dont know if this is correct or not) if someone has other document about tds \
packet or and a sample code to reassembly packet (thank a lot), please share \
it. Hopefully, I can do my task. I post here the document \
of tds packet if someone need it.</div>
<div> </div>
<div><span style="FONT-SIZE: 8.5pt; COLOR: black; FONT-FAMILY: Verdana; \
mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: 'Times \
New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; \
mso-bidi-language: AR-SA">.............. we know MS SQL 2000 uses TDS 8.0 in its \
package. The packet format is list as following:<br>
--------------------------------------------------------<br>| TDS package \
header(8bytes) | TDS \
payload \
|<br>------------------------------------------------------<br>TDS package \
header:<br>-------------------------------------------------------------------<br> | \
TOKEN | STATUS | LENGTH | SIGNED NUM | PACKET NUM | WINDOW SIZE \
|<br>-------------------------------------------------------------------<br>The field \
TOKEN is one byte, which shows packet type. In this article, it is 0x12, which shows \
the request of ConnectionPreLogin to get some values, such as the version of SQL \
Server. When SQL Server receives these kinds of package, it will pass the package to \
function in SSlibnet.dll. </span></div>
<div><span style="FONT-SIZE: 8.5pt; COLOR: black; FONT-FAMILY: Verdana; \
mso-fareast-font-family: 'Times New Roman'; mso-bidi-font-family: 'Times \
New Roman'; mso-ansi-language: EN-US; mso-fareast-language: EN-US; \
mso-bidi-language: AR-SA">The STATUS field has one byte, 0x01 means it is last packet \
in the TDS session.<br> The LENGTH field has two bytes, which is the length of TDS \
package include the length of TDS header.<br>The SIGNED NUM field has two bytes, \
which is reserved now.<br>The PACKET NUM filed has one byte, which shows the sequence \
number in the current TDS operation. <br> The WINDOW SIZE filed has one byte,which is \
reserved now.<br>When the TOKEN filed is 0x12, the format \
is:<br>----------------------------------------------------------------<br>| TDS \
package Header (8bytes) |Field Indicator Header| Information |<br>
----------------------------------------------------------------<br>Field indicator \
Header is a table whose length is not fixed, each item indicate the information of \
offset or length. General there are four filed in MS SQL 2000, the structure of Field \
Indicator Header is list as following: <br> {<br> BYTE \
CNETLIBVERNO;<br> WORD \
CNETLIBVEROFFSET;<br> WORD \
CNETLIBVERLEN;<br> BYTE \
CENYFLAGNO;<br> WORD \
CENYFLAGOFFSET;<br> WORD \
CENYFLAGLEN;<br> BYTE \
SINSTNAMENO;<br> WORD \
SINSTNAMEOFFSET;<br> WORD SINSTNAMELEN;<br> \
BYTE CTHREADIDNO;<br> WORD \
CTHREADIDOFFSET;<br> WORD \
CTHREADIDLEN;<br> BYTE FILEDEND;<br>}<br>The structure of \
information is list as following: <br>{<br> BYTE \
CNETLIBVER[CNETLIBVERLEN]<br> BYTE CENYFLAG[CENYFLAGLEN];<br> \
BYTE SINSTNAME[SINSTNAMELEN]<br> DWORD \
CTHREADID[CTHREADIDLEN];<br>}<br>Field:<br>CNETLIBVERNO<br>Offset:0<br>Length: \
1<br>Meanings: The number about Version of NETLIB in client<br>Description:None \
<br>Remark:The value is 0x00 fixed<br> \
<br>CNETLIBVEROFFSET<br>Offset:1<br>Length:2<br>Meanings:The Offset of NETLIB Version \
in client<br>Description:Network Byte \
Order<br>Remark:<br><br>CNETLIBVERLEN<br>Offset:3 <br>Length:2<br>Meanings:The length \
of information about the version of NETLIB in client <br> Description:Network Byte \
Order<br>Remark:The value is 0x06 \
fixed<br><br>CENYFLAGNO <br>Offset:5<br>Length:1<br>Meanings:The \
number about flag of client encryption.<br>Description: <br>Remark:The value is 0x01 \
fixed<br> <br>CENYFLAGOFFSET<br>Offset:6<br>Length:2<br>Meanings:The offset of flag \
of client encryption.<br>Description:Network Byte Order<br>Remark: \
<br><br>CENYFLAGLEN<br>Offset:8<br>Length:2<br>Meanings:The length of flag of client \
encryption.<br> Description:Network Byte Order<br>Remark:The value is 0x01 \
fixed<br><br>SINSTNAMENO<br>Offset:0XA<br>Length:1<br>Meanings:The number of \
server's instance name.<br>Description: <br>Remark: The value is 2 fixed.<br><br> \
SINSTNAMEOFFSET<br>Offset:0XB<br>Length:2<br>Meanings:The offset of of server's \
instance name.<br>Description:Network Byte Order<br>Remark: \
<br><br>SINSTNAMELEN<br>Offset:0XD<br>Length:2<br>Meanings: The length of \
server's instance name.<br>
Description: Network Byte Order<br>Remark: <br><br>CTHREADIDNO \
<br>Offset:0XF<br>Length:1<br>Meanings:The number of the client's \
process.<br>Description: <br>Remark: The value is 3 Fixed<br><br>CTHREADIDOFFSET \
<br>Offset:0X10<br>
Length: 2<br>Meanings: The offset of the client's process.<br>Description:Network \
Byte Order<br>Remark: <br><br>CTHREADIDLEN<br>Offset:0X12<br>Length:2<br>Meanings: \
The length of the client's process.<br>Description: Network Byte \
Order<br>
Remark: The value is 4 fixed.<br><br>FILEDEND<br>Offset:0X14 \
<br>Length:1<br>Meanings: This show that the Field Indicator Header is over,and the \
next is the information <br>Description:The sign is 0XFF<br>Remark:<br><br>CNETLIBVER \
<br> Offset:0X15<br>Length:6<br>Meanings: The version of NETLIB <br>Description: The \
version of DBNETLIB.DLL<br>Remark: The format is Network Byte Order,For example,if \
the version is 80.528.00,then the fild is<br> 08 00 02 10 00 \
00<br> <br>CENYFLAG<br>Offset:0X1B<br>Length:1<br>Meanings: The flag of Client \
encryption.<br>Description:0 encrypt ,1 \
don't encrypt<br>Remark:<br><br>SINSTNAME<br>Offset:0X1C<br>Length:SINSTNAMELEN<br>Meanings: \
The instance name asked by client.<br> Description:<br>Remark:default is \
MSSQLserver<br><br>CTHREADID<br>Offset:0X1C+SINSTNAMELEN<br>Length:4<br>Meanings:The \
ID of client's process<br>Description: host Byte Order<br \
style="mso-special-character: line-break"> <br style="mso-special-character: \
line-break"></span>............</div> <div> </div>
<div>Thanks</div>
<div>Bac <br> </div>
<div> </div>
<div> </div>
_______________________________________________
Winpcap-users mailing list
Winpcap-users@winpcap.org
https://www.winpcap.org/mailman/listinfo/winpcap-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic