locked
Wont able to decode MS TDS protocol with netmon RRS feed

  • Question

  • Hello. I have sql server 2008 with self-signed cert. trying to decrypt TDS 4.2 Login packet encrypted with SSL/TLS. NmDecrypt network monitor module won't see encrypted frames with data so it produces equally to initial capture file on done.
    Friday, January 20, 2012 1:34 PM

All replies

  • If you turn on the logging for the decryption expert you can give us a better ideal of what's happening.

    Usually the most common issues are missing setup information in the TCP stream or not selecting the TCP stream from the UI in the Conversation Window before running the tool.

    Thanks,


    Michael Hawker | Program Manager | Network Monitor
    Friday, January 20, 2012 8:15 PM
  • Hi! Thanks for response. i understand that futher need to pass more detail on my question. so this is a debug from NmDecrypt. as i see it can't recognise streams where in one TCP session comes "non SSL data" -> "SSL handshake with payload data" (frame id=14 in my debug log below) -> "non SSL data": as MS-TDS protocol exactly do. So it won't try to decrypt SSL TDS 4.2 Login7 header in frame 14: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.ApplicationData.SSLApplicationData With Value: Binary Large Object (3328 Bytes) -.-.-.-.-.-.- SSL Decryption Log -.-.-.-.-.-.- Log Created On: 20.01.2012 22:51:07 NMAPIs Initialized. Initializing Netmon Parsers... sparser.npb:001.000 Successfully unserialized NPL parser 'C:\ProgramData\Microsoft\Network Monitor 3\NPL\NetworkMonitor Parsers\Profiles\64BAA24A-0AAD-44e6-9846-3BE43D698FF6\sparser.npb. Netmon Parsers initialized successfully. Adding SSLVersionSelector Display Filter... Display Filter added successfully Adding Conversation.TCP.Id == 2 Conversation Filter... Conversation Filter added successfully Adding Conversation.TCP.Id == 2 Conversation Filter... Conversation Filter added successfully ****Warning****: Netmon Parser Version: 3.4.2350.0 may have different filter set and might cause Expert to fail. Please use 3.4.2371.1 or greater. Opening Encrypted Capture File: C:\aaaaa.cap Creating Decrypted Capture File: C:\nnnn.cap Using Init Filter String of Ethernet.Ipv4.Tcp.TCPPayload.TlsSslData.Tls. Changing Conversation ID from 18446744073709551615 to 2 =========================================================================== Processing Frame Number: 14 =========================================================================== Found 60 Fields in Frame 14: Processing Field: PayloadHeader With Value: Reassembled Protocol=TCP, FrameCount=3,Length=3333 14: Processing Field: PayloadHeader.Version With Value: 0x200 14: Processing Field: PayloadHeader.HeaderLength With Value: 136 (0x88) 14: Processing Field: PayloadHeader.Type With Value: Re-assembled 14: Processing Field: PayloadHeader.ReassembledProtocol With Value: TCP 14: Processing Field: PayloadHeader.RStatus With Value: Complete successfully (0) 14: Processing Field: PayloadHeader.LowerProtocolCount With Value: 2 (0x2) 14: Processing Field: PayloadHeader.LowerProtocol With Value: IPv4 14: Processing Field: PayloadHeader.LowerProtocol.ProtocolName With Value: IPv4 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKeyLength With Value: 8 (0x8) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey With Value: 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 187 (0xBB) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 192 (0xC0) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 168 (0xA8) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 192 (0xC0) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 44 (0x2C) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 195 (0xC3) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 168 (0xA8) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 192 (0xC0) 14: Processing Field: PayloadHeader.LowerProtocol.PropertyBlockLength With Value: 12 (0xC) 14: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties With Value: Source Address = 192.168.195.44, Destination Address = 192.168.192.187 14: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.SourceAddressDescriptor With Value: Not cumulative, number big endian, Length given:4 bytes 14: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.SourceAddress With Value: 192.168.195.44 Repurposing Source IP Address: 192.168.195.44 14: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.DestinationAddressDescriptor With Value: Not cumulative, number big endian, Length given:4 bytes 14: Processing Field: PayloadHeader.LowerProtocol.IPv4Properties.DestinationAddress With Value: 192.168.192.187 Using Destination IP Address 192.168.192.187 14: Processing Field: PayloadHeader.LowerProtocol With Value: TCP 14: Processing Field: PayloadHeader.LowerProtocol.ProtocolName With Value: TCP 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKeyLength With Value: 4 (0x4) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey With Value: 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 153 (0x99) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 5 (0x5) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 240 (0xF0) 14: Processing Field: PayloadHeader.LowerProtocol.ConversationKey.ConversationKey With Value: 249 (0xF9) 14: Processing Field: PayloadHeader.LowerProtocol.PropertyBlockLength With Value: 50 (0x32) 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties With Value: 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SourcePortDescriptor With Value: Not cumulative, number big endian 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SourcePort With Value: 63984 (0xF9F0) Using Source Port: 17363909838303657984 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.DestinationPortDescriptor With Value: Not cumulative, number big endian 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.DestinationPort With Value: 1433 (0x599) Using Destination Port: 11026219262686527488 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SeqNumberDescriptor With Value: Not cumulative, number big endian 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.SeqNumber With Value: 3686707631 (0xDBBEB1AF) 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.NextSeqNumberDescriptor With Value: Not cumulative, number big endian, Update with the latest 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.NextSeqNumber With Value: 3686710964 (0xDBBEBEB4) 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.TcpFlagsDescriptor With Value: Not cumulative, number big endian, Update with the latest 14: Processing Field: PayloadHeader.LowerProtocol.TCPProperties.TcpFlags With Value: 24 (0x18) 14: Processing Field: PayloadHeader.FrameCount With Value: 3 (0x3) 14: Processing Field: PayloadHeader.PayloadLength With Value: 3333 (0xD05) 14: Processing Field: PayloadHeader.ContainedProtocol With Value: 14: Processing Field: PayloadHeader.TDS With Value: TLS SSL Data 14: Processing Field: PayloadHeader.TDS.TLSSSLData With Value: Transport Layer Security (TLS) Payload Data 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS With Value: TLS Rec Layer-1 SSL Application Data 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer With Value: 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer With Value: TLS Rec Layer-1 SSL Application Data 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.ContentType With Value: SSL Application Data 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version With Value: TLS 1.0 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version.Major With Value: 3 (0x3) 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Version.Minor With Value: 1 (0x1) 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.Length With Value: 3328 (0xD00) 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.ApplicationData With Value: Binary Large Object (3328 Bytes) 14: Processing Field: PayloadHeader.TDS.TLSSSLData.TLS.TlsRecLayer.TlsRecordLayer.ApplicationData.SSLApplicationData With Value: Binary Large Object (3328 Bytes) -.-.-.-.-.-.- SSL Decryption Log Ends-.-.-.-.-.-.-
    • Edited by DDN Friday, January 20, 2012 8:51 PM CrLf buggy
    Friday, January 20, 2012 8:49 PM
  • hmm ...forum won't recognise <new line> CRLF.
    Friday, January 20, 2012 8:52 PM