Wireshark and SQL

Question

Hello! Is wireshark able to decode ms sql queries? (sql 2005 server). With mysql - no problems:

tshark -i lo -d tcp.port==3306,mysql -T fields -e mysql.query

But for SQl there is no smth like "tcp.port==1433,mssql" and "fields -e mssql.query". Or it doesn't work with TDS packets? I just need to extract clear SQL-queries from traffic...

Answer 1

0

The protocol used by MS SQL Server is TDS, so all filter fields are "tds.xxx" rather than "mssql"

permanent link

answered 23 Oct '17, 06:02

grahamb ♦
19.8k●3●30●206
accept rate: 22%

So, it will be: tshark -i lo -d tcp.port==1433,tds -T fields -e tds.query ???

(23 Oct '17, 06:05) alex31337

You shouldn't need the -d tcp.port==1433,tds as the tds dissector already registers for that port.

There is a tds.query field, but the comment next to it says "SQLBatch Stream", so it may or may not do what you want.

(23 Oct '17, 06:38) grahamb ♦

And where can I find list of available fields? (their correct syntax)

(23 Oct '17, 06:44) alex31337

https://www.wireshark.org/docs/dfref/t/tds.html

(23 Oct '17, 06:47) alex31337

Or tshark -G fields, although that doesn't limit to a particular dissector, or show version ranges.

(23 Oct '17, 07:27) grahamb ♦

But anyway, IT'S POSSIBLE to grab pure MS sql-queries (that clients send to server) via Tshark, is it right? (traffic not encrypted, only TDS)

(23 Oct '17, 07:47) alex31337

Presumably, hence the inclusion of a TDS dissector.

(23 Oct '17, 08:35) grahamb ♦

.....-T fields -e tds.query WARNING **: 'tds.query' isn't a valid field!

WTF!?

(23 Oct '17, 09:57) alex31337

Works for me (as in doesn't show an error). What version of tshark?

If I induce an error I get this kind of output:

> tshark.exe -r capture.pcapng -T fields -e tds.2query
tshark: Some fields aren't valid:
        tds.2query

(23 Oct '17, 11:31) grahamb ♦

TShark 1.12.1

(23 Oct '17, 11:51) alex31337

I've updated to 2.4.2, now "-T fields -e tds.query" doesnt print error! But I see no SQL-instructions, but blank lines -( Can you see SELECT,INSERT, UPDATE etc after you print "tshark.exe -r capture.pcapng -T fields -e tds.query"?

(23 Oct '17, 12:27) alex31337

That's EOL-ed over a year ago. Please find a way to upgrade.

(23 Oct '17, 12:29) Jaap ♦

Without seeing your actual file, it is just guessing, but could it be that you have also other than tds packets in the file? If so, add a display filter -Y tds.query to your command line, so that other packets are not displayed. For packets which don't contain a required field, tshark prints a blank line.

(23 Oct '17, 12:54) sindy

As I mentioned, the comment in the code next to tds.query mentions "SQL Batch Stream", so I'm not sure if the field shows all SQL query strings.

I don't have a tds capture to test. maybe you can share one with us to help out?

(23 Oct '17, 13:53) grahamb ♦

showing 5 of 14 show 9 more comments

Wireshark and SQL

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions