This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TDS requests identified as [‘TCP segment of a reassembled PDU]'

0

I have a problem with the TDS protocol as every single request is being identified as [TCP segment of a reassembled PDU]. The packets originate from ASP scripts running in IIS 8.0 on Windows Server 2012. I have tried to analyze a wireshark dump with Microsoft Network Monitor 3.4 and while it does recognize the packets as TDS RPC Requests, it also fails to properly decode it.

Is there a known weakness decoding TDS RPC Requests?

asked 19 Aug '14, 03:49

galmok's gravatar image

galmok
11112
accept rate: 0%

The best way for us to answer the question is to be able to look at your capture.

Can you post a small capture (if there's no private data in the capture) which shows the problem on Google Drive or Dropbox, etc ?

(19 Aug '14, 07:53) Bill Meier ♦♦

If there's reassembly going on, the example capture should have the entire application PDU (which may be split of multiple TCP segments).

Is there any chance the TDS protocol may be encrypted?

(19 Aug '14, 08:12) grahamb ♦

I'll make a capture for you to look at. But I am not sure I can make a log that does not include sensitive/internal information, but if we can make this an iterative process where I filter the dump and you let me know if you need more, then I think this can work. I would prefer to mail the dropbox link to the dump instead of showing it for the public.

(19 Aug '14, 23:20) galmok

If you raise a bug on the Wireshark Bugzilla, bugs\attachments can be marked as private so that only the Wireshark core developers have access to them. See also the wiki page on reporting bugs.

(20 Aug '14, 01:21) grahamb ♦