[Winpcap-users] How to use WinpCap to capture SQL command send over NIC

Richard Horton richard.horton at solstans.co.uk
Tue Jul 22 07:58:49 GMT 2008

2008/7/22 Lam Hong Bac <lamhong.bac at gmail.com>:
> Dear all,
> I can capture the packet ( I found some demo in net)
> but still not find the way to translate the packet into ms-sql command
> the reason i need to do with winpcap is my subject is writing a tool to do
> audit mssql without slow-down sql performance, means i need to capture all
> message send to SQL server by using a tool to capture packet...not use SQL
> internal audit features
> if there is any document help me to do that please advise

Microsoft SQL (you may already know this so sorry if I'm teaching you
to suck eggs) uses a protocol called Tabular Data Service for
communications between the client and database server(s) [originally
used by Sybase until they came up with something better and then MS
picked up the pieces].  MS have expanded the original Sybase
implementation with their own APIs.

Unfortunately for you both variants of the protocol are propitiatory
and so have not been published. There is a LGPL variant called
Free-TDS but how close it is to the MS variant I can not tell.

If you are purely interested in the number of SELECT, UPDATE, INSERT,
DELETE type commands and the response times you might as suggested be
able to work out the packet signature for each operation and then use
that alone to work out the rest.

Fragmented packets will need reassembly prior to decoding the TDS
stream if you are after full auditing.

Richard Horton
Users are like a virus: Each causing a thousand tiny crises until the
host finally dies.
http://www.solstans.co.uk - Solstans Japanese Bobtails and Norwegian Forest Cats
http://www.pbase.com/arimus - My online photogallery

More information about the Winpcap-users mailing list