TDS Parser RRS feed

  • Question

  • I am looking for the Parser logic to parse the TDS packet, and how does network monitor can help? is any way network monitor can return xml parser result to my custom VC application? and does NmDecrypt logic able to handle sql serer login 7 TLS/SSL packet? thanks. (cz_351@hotmail.com)

    Paul's reply,

    The TDS parsers is availalbe in the Windows profile.  If you are unable to view TDS traffic with this profile selected, please let me know.  BTW, the forums (social.technet.microsoft.com/.../netmon), might be a better place to follow up.

    As for the TLS/SSL traffic, does the TDS traffic ride ontop of TLS/SSL?  Again, the forums might be a better place to discuss this.



    Paul, I have repost the thread over here, and yes, the login 7  ride ontop of TLS/SSL, which been detected as TLS packet at Network Monitor. I am not sure the meaning of TDS parse logic is available in windows profile, can you explain more. thanks.

    Tuesday, May 24, 2011 5:19 AM

All replies

  • There are a few built in parser profiles in Network Monitor 3.4.  Default includes a subset of all parsers and is higher performing when openning and filtering.  But if you need more full parsing, then the Windows parsers set will parse everything.  The TDS parser is part of the Windows profile.  BTW, it's possible to create your own subset of parsers if you are so inclined. 

    OK, so as it's TLS first, that means the TDS parser is encrypted ontop.  That means that you need to decrypt it first to see the TDS traffic.  I looked at our parsers and it doesn't call TDS by default, but that's OK we can fix that with a simple update to the parsers.

    So first step, lets see if the decryption works with this traffic.  I think it should, but I've found that some variations need special attention in the NMDecryption code, so we'll have to give it a try.  What you'll need is the private Certificate and a network trace with a full TLS conversation with the Client Hello/Server Hello.  The best way to do this is make sure you restart the TDS/TLS application after starting a trace.  If you look at the NMDecrypt documentation it has instructions on what this traffic should look like and instructions on how to export the cert.  Once you have everything ready, you'll need to find the appropriate conversation to decrypt in the trace.  The best way is to filter on TLS, then look for a client hello.  Right click this frame and Find Conversation->TCP.  Then run the expert with this conversation selected.

    If you have a problem with any of these steps, let me know.


    Tuesday, May 24, 2011 1:44 PM
  • Paul, thanks for your reply, the steps a little bit complicated, and i may need to solve my problem one by one, firstly, i am looking for the tds parser that can parse it and return it in xml, i belive should have such tools available, and also, currently i am writting on a VC program which using socket to capture the TDS packet in full and need to parse it in readable format (eg,xml), I may need your suggestion how can I get advantage of netmon to help on my application? thanks.  

    Monday, May 30, 2011 2:06 PM
  • You can use our NMAPI to parse the data and return each field in the TDS protocol.  But you'll have to convert it to XML or what ever alternate format you need.

    As a first step, you could try to parse the data you collected with our parsers.  I would look at the simple parsing example "Iterating Frame Data" in the help file that installs with NM3.4.  Since it seems like you are collecting the TDS data manually (not using our capture driver), then you'll need to tell our parser that you are collecting data at a different level than Ethernet.  For instance if you are collecting the TDS data directly, then you need use NmConfigureStartDataType to tell your parser configuraiton that TDS is the starting point. 

    Does that much make sense so far?


    Wednesday, June 1, 2011 3:28 PM