[Winpcap-users] How to use WinpCap to capture SQL command send over NIC

Lam Hong Bac lamhong.bac at gmail.com
Tue Jul 22 12:28:29 GMT 2008 

Thanks Richard,

I know MS-SQL (2000) use TDS protocol, I found a document say about this (i
dont know if this is correct or not) if someone has other document about tds
packet or and a sample code to reassembly packet (thank a lot), please share
it. Hopefully, I can do my task. I post here the document of tds packet if
someone need it.

.............. we know MS SQL 2000 uses TDS 8.0 in its package. The packet
format is list as following:
--------------------------------------------------------
| TDS package header(8bytes) |    TDS payload         |
------------------------------------------------------
TDS package header:
-------------------------------------------------------------------
| TOKEN | STATUS | LENGTH | SIGNED NUM | PACKET NUM | WINDOW SIZE |
-------------------------------------------------------------------
The field TOKEN is one byte, which shows packet type. In this article, it is
0x12, which shows the request of ConnectionPreLogin to get some values, such
as the version of SQL Server. When SQL Server receives these kinds of
package, it will pass the package to function in SSlibnet.dll.
The STATUS field has one byte, 0x01 means it is last packet in the TDS
session.
The LENGTH field has two bytes, which is the length of TDS package include
the length of TDS header.
The SIGNED NUM field has two bytes, which is reserved now.
The PACKET NUM filed has one byte, which shows the sequence number in the
current TDS operation.
The WINDOW SIZE filed has one byte,which is reserved now.
When the TOKEN filed is 0x12, the format is:
----------------------------------------------------------------
| TDS package Header (8bytes) |Field Indicator Header| Information |
----------------------------------------------------------------
Field indicator Header is a table whose length is not fixed, each item
indicate the information of offset or length. General there are four filed
in MS SQL 2000, the structure of Field Indicator Header is list as
following:
{
    BYTE CNETLIBVERNO;
    WORD CNETLIBVEROFFSET;
    WORD CNETLIBVERLEN;
    BYTE CENYFLAGNO;
    WORD CENYFLAGOFFSET;
    WORD CENYFLAGLEN;
    BYTE SINSTNAMENO;
    WORD SINSTNAMEOFFSET;
    WORD SINSTNAMELEN;
    BYTE CTHREADIDNO;
    WORD CTHREADIDOFFSET;
    WORD CTHREADIDLEN;
    BYTE FILEDEND;
}
The structure of information is list as following:
{
    BYTE CNETLIBVER[CNETLIBVERLEN]
    BYTE CENYFLAG[CENYFLAGLEN];
    BYTE SINSTNAME[SINSTNAMELEN]
    DWORD CTHREADID[CTHREADIDLEN];
}
Field:
CNETLIBVERNO
Offset:0
Length: 1
Meanings: The number about Version of NETLIB in client
Description:None
Remark:The value is 0x00 fixed

CNETLIBVEROFFSET
Offset:1
Length:2
Meanings:The Offset of NETLIB Version in client
Description:Network Byte Order
Remark:

CNETLIBVERLEN
Offset:3
Length:2
Meanings:The length of information about the version of NETLIB in client
Description:Network Byte Order
Remark:The value is 0x06 fixed

CENYFLAGNO
Offset:5
Length:1
Meanings:The number about flag of client encryption.
Description:
Remark:The value is 0x01 fixed

CENYFLAGOFFSET
Offset:6
Length:2
Meanings:The offset of flag of client encryption.
Description:Network Byte Order
Remark:

CENYFLAGLEN
Offset:8
Length:2
Meanings:The length of flag of client encryption.
Description:Network Byte Order
Remark:The value is 0x01 fixed

SINSTNAMENO
Offset:0XA
Length:1
Meanings:The number of server's instance name.
Description:
Remark: The value is 2 fixed.

SINSTNAMEOFFSET
Offset:0XB
Length:2
Meanings:The offset of of server's instance name.
Description:Network Byte Order
Remark:

SINSTNAMELEN
Offset:0XD
Length:2
Meanings: The length of server's instance name.
Description: Network Byte Order
Remark:

CTHREADIDNO
Offset:0XF
Length:1
Meanings:The number of the client's process.
Description:
Remark: The value is 3 Fixed

CTHREADIDOFFSET
Offset:0X10
Length: 2
Meanings: The offset of the client's process.
Description:Network Byte Order
Remark:

CTHREADIDLEN
Offset:0X12
Length:2
Meanings: The length of the client's process.
Description: Network Byte Order
Remark: The value is 4 fixed.

FILEDEND
Offset:0X14
Length:1
Meanings: This show that the Field Indicator Header is over,and the next is
the information
Description:The sign is 0XFF
Remark:

CNETLIBVER
Offset:0X15
Length:6
Meanings: The version of NETLIB
Description: The version of DBNETLIB.DLL
Remark: The format is Network Byte Order,For example,if the version is
80.528.00,then the fild is
    08 00 02 10 00 00

CENYFLAG
Offset:0X1B
Length:1
Meanings: The flag of Client encryption.
Description:0 encrypt ,1 don't  encrypt
Remark:

SINSTNAME
Offset:0X1C
Length:SINSTNAMELEN
Meanings: The instance name asked by client.
Description:
Remark:default is MSSQLserver

CTHREADID
Offset:0X1C+SINSTNAMELEN
Length:4
Meanings:The ID of client's process
Description: host Byte Order

............

Thanks
Bac
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.winpcap.org/pipermail/winpcap-users/attachments/20080722/781ef9ca/attachment.htm

More information about the Winpcap-users mailing list