Discussion:
Database Protocol support
Al Aghili
2008-08-27 19:14:07 UTC
Permalink
Hi,
I had a question regarding the DB protocols supported by tshark. I saw
mysql support but is there also support for other protocols for queries
to Oracle or DB2?

Thanks
Al
Guy Harris
2008-08-27 22:42:32 UTC
Permalink
Post by Al Aghili
I had a question regarding the DB protocols supported by tshark. I
saw mysql support but is there also support for other protocols for
queries to Oracle or DB2?
I have the impression that Oracle uses a protocol that Wireshark calls
"TNS" (Transparent Network Substrate); that protocol is dissected by
Wireshark/TShark.

Wireshark/TShark also dissect a protocol called DRDA (Distributed
Relational Database Architecture); a comment in the DRDA dissector says:

* DRDA in a nutshell
*
* DRDA stands for Distributed Relational Database Architecture.
* It is a protocol between database client and database server
published by
* the Open Group (www.opengroup.org) DDM (Distributed Data
Management) is an
* data management interface which allows to exchange structured data
between
* systems. DRDA is specific to relational databases and uses a
subset of DDM
* to transport its data. The IBM DB2 product uses the DRDA protocol
from
* version V8. Unless negotiated differently during the handshake,
the fields
* of the DDM commands and reply messages are in EBCDIC.
*
* Documentation:
* DRDA Version 3 Vol. 3: Distributed Relational Database
Architecture,
* Open Group.
* Reference for Remote DRDA Requesters and Servers, IBM.
Joerg Mayer
2008-08-28 16:43:04 UTC
Permalink
Post by Guy Harris
Post by Al Aghili
I had a question regarding the DB protocols supported by tshark. I
saw mysql support but is there also support for other protocols for
queries to Oracle or DB2?
I have the impression that Oracle uses a protocol that Wireshark calls
"TNS" (Transparent Network Substrate); that protocol is dissected by
Wireshark/TShark.
Wireshark/TShark also dissect a protocol called DRDA (Distributed
* DRDA in a nutshell
*
* DRDA stands for Distributed Relational Database Architecture.
* It is a protocol between database client and database server
published by
* the Open Group (www.opengroup.org) DDM (Distributed Data
Management) is an
* data management interface which allows to exchange structured data
between
* systems. DRDA is specific to relational databases and uses a
subset of DDM
* to transport its data. The IBM DB2 product uses the DRDA protocol
from
* version V8. Unless negotiated differently during the handshake,
the fields
* of the DDM commands and reply messages are in EBCDIC.
*
* DRDA Version 3 Vol. 3: Distributed Relational Database
Architecture,
* Open Group.
* Reference for Remote DRDA Requesters and Servers, IBM.
We also have the SOURCES for a dissector that probably contains all the
interesting information. The files are epan/dissectors/packet-sqloracle.[hc]

The sources don't build with current Wireshark but if someone wants to use
the knowledge to create an Oracle dissector, it's there.

The file starts with the following comment:

/* packet-sqloracle.c
* Routines for SQL ORcle packet dissection
*
* The initial Wireshark version of this file was imported from the
* ClearSight source code package.
* No author/copyright given in the original file.

Ciao
Joerg
--
Joerg Mayer <jmayer-2TuS4uRBb1yzQB+***@public.gmane.org>
We are stuck with technology when what we really want is just stuff that
works. Some say that should read Microsoft instead of technology.
Al Aghili
2008-12-05 02:54:12 UTC
Permalink
Hi,
Do you know if tshark can dissect MS SQL (ms sql 2005) protocol?

Thanks
Al

-----Original Message-----
From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org
[mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of Guy Harris
Sent: Wednesday, August 27, 2008 4:43 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Database Protocol support
Post by Al Aghili
I had a question regarding the DB protocols supported by tshark. I
saw mysql support but is there also support for other protocols for
queries to Oracle or DB2?
I have the impression that Oracle uses a protocol that Wireshark calls
"TNS" (Transparent Network Substrate); that protocol is dissected by
Wireshark/TShark.

Wireshark/TShark also dissect a protocol called DRDA (Distributed
Relational Database Architecture); a comment in the DRDA dissector says:

* DRDA in a nutshell
*
* DRDA stands for Distributed Relational Database Architecture.
* It is a protocol between database client and database server
published by
* the Open Group (www.opengroup.org) DDM (Distributed Data
Management) is an
* data management interface which allows to exchange structured data
between
* systems. DRDA is specific to relational databases and uses a
subset of DDM
* to transport its data. The IBM DB2 product uses the DRDA protocol
from
* version V8. Unless negotiated differently during the handshake,
the fields
* of the DDM commands and reply messages are in EBCDIC.
*
* Documentation:
* DRDA Version 3 Vol. 3: Distributed Relational Database
Architecture,
* Open Group.
* Reference for Remote DRDA Requesters and Servers, IBM.
Guy Harris
2008-12-05 03:01:21 UTC
Permalink
Post by Al Aghili
Do you know if tshark can dissect MS SQL (ms sql 2005) protocol?
I have the impression that Microsoft SQL Server (and the Sybase server
from which it originally derived) uses a protocol that Wireshark calls
"TDS" (Tabular Data Stream):

http://en.wikipedia.org/wiki/Tabular_Data_Stream
http://msdn.microsoft.com/en-us/library/aa174503(sql.80).aspx
http://www.freetds.org/

That protocol is dissected by Wireshark/TShark, although whether we
dissect all versions of it, including the MS SQL Server 2005 version,
is another matter:

http://msdn.microsoft.com/en-us/library/cc448436.aspx
Al Aghili
2008-12-05 20:30:54 UTC
Permalink
Hi Guy,

Yea it looks like MS SQL Server 2005 is not fully supported. I just ran
a test with it. In some cases you can see the query and the result
coming back but in other cases you can't see either. Do you know if
there is plan to support MS SQL 05 in the future? It's really close,
just not consistent.

Thanks
Al

-----Original Message-----
From: wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org
[mailto:wireshark-users-bounces-IZ8446WsY0/***@public.gmane.org] On Behalf Of Guy Harris
Sent: Thursday, December 04, 2008 8:01 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] Database Protocol support
Post by Al Aghili
Do you know if tshark can dissect MS SQL (ms sql 2005) protocol?
I have the impression that Microsoft SQL Server (and the Sybase server
from which it originally derived) uses a protocol that Wireshark calls
"TDS" (Tabular Data Stream):

http://en.wikipedia.org/wiki/Tabular_Data_Stream
http://msdn.microsoft.com/en-us/library/aa174503(sql.80).aspx
http://www.freetds.org/

That protocol is dissected by Wireshark/TShark, although whether we
dissect all versions of it, including the MS SQL Server 2005 version,
is another matter:

http://msdn.microsoft.com/en-us/library/cc448436.aspx
Guy Harris
2008-12-05 22:05:23 UTC
Permalink
Post by Al Aghili
Yea it looks like MS SQL Server 2005 is not fully supported. I just ran
a test with it. In some cases you can see the query and the result
coming back but in other cases you can't see either. Do you know if
there is plan to support MS SQL 05 in the future? It's really close,
just not consistent.
There aren't "official" plans to support any protocol in Wireshark;
support happens when somebody decides to add it:

http://www.wireshark.org/faq.html#q1.11

Now that Microsoft appear to be documenting it, it might be easier to
fix issues with it, although we might need captures with problems in
order to fix the problems (and probably would need them to test the
fixes).
Bill Meier
2008-12-05 23:11:31 UTC
Permalink
Post by Guy Harris
Post by Al Aghili
Yea it looks like MS SQL Server 2005 is not fully supported. I just ran
a test with it. In some cases you can see the query and the result
coming back but in other cases you can't see either. Do you know if
there is plan to support MS SQL 05 in the future? It's really close,
just not consistent.
There aren't "official" plans to support any protocol in Wireshark;
http://www.wireshark.org/faq.html#q1.11
Now that Microsoft appear to be documenting it, it might be easier to
fix issues with it, although we might need captures with problems in
order to fix the problems (and probably would need them to test the
fixes).
_______________________________________________
Can you supply a not too large capture ??

If so, probably the best way is to open an enhancement request
(bugs.wireshark.org) and attach the capture.


Thanks
Bill Meier
2008-12-06 03:16:45 UTC
Permalink
Bill,
I created a bug.
Please see attached. In mssql.txt you can't see the pay load or the
table name. In mssql1.txt you can see part of the payload but its
truncated.
The most important issue is that you can't see the actual query that's
being made. It says Select but the sql query is not there.
In other db protocols like mysql, wireshark dissects the packet in a way
that can see the query.
Any help with this is greatly appreciated!
Al
Thanks

If possible, please attach the original capture file to the bug report.
That way, any changes made to the dissector can be tested.....
Al Aghili
2008-12-06 14:00:55 UTC
Permalink
I assume this is running tshark with the -w option. Do you need me to
set the filter -R tds when I run the test or no filter at all?

-----Original Message-----
From: Bill Meier [mailto:wmeier-***@public.gmane.org]
Sent: Friday, December 05, 2008 8:17 PM
To: Community support list for Wireshark
Cc: Al Aghili
Subject: Re: [Wireshark-users] Database Protocol support
Bill,
I created a bug.
Please see attached. In mssql.txt you can't see the pay load or the
table name. In mssql1.txt you can see part of the payload but its
truncated.
The most important issue is that you can't see the actual query that's
being made. It says Select but the sql query is not there.
In other db protocols like mysql, wireshark dissects the packet in a way
that can see the query.
Any help with this is greatly appreciated!
Al
Thanks

If possible, please attach the original capture file to the bug report.
That way, any changes made to the dissector can be tested.....
Bill Meier
2008-12-06 15:50:32 UTC
Permalink
Post by Al Aghili
I assume this is running tshark with the -w option. Do you need me to
set the filter -R tds when I run the test or no filter at all?
It turns out that there is a bug 1101 which has an attached MSSQL 2005
capture.

Even so it can't hurt to have a 2nd capture.

It's best to use no filter at all since the current dissector may not
correctly recognize frames as TDS so just tshark -w ... should be OK.

(If desired you can mark the file as "private" when you attach it to bug
#3098)

Bill

Loading...