Hello! Is wireshark able to decode ms sql queries? (sql 2005 server). With mysql - no problems:
But for SQl there is no smth like "tcp.port==1433,mssql" and "fields -e mssql.query". Or it doesn't work with TDS packets? I just need to extract clear SQL-queries from traffic... |
The protocol used by MS SQL Server is TDS, so all filter fields are "tds.xxx" rather than "mssql" So, it will be: tshark -i lo -d tcp.port==1433,tds -T fields -e tds.query ???
(23 Oct '17, 06:05)
alex31337
You shouldn't need the There is a
(23 Oct '17, 06:38)
grahamb ♦
And where can I find list of available fields? (their correct syntax)
(23 Oct '17, 06:44)
alex31337
(23 Oct '17, 06:47)
alex31337
Or
(23 Oct '17, 07:27)
grahamb ♦
But anyway, IT'S POSSIBLE to grab pure MS sql-queries (that clients send to server) via Tshark, is it right? (traffic not encrypted, only TDS)
(23 Oct '17, 07:47)
alex31337
Presumably, hence the inclusion of a TDS dissector.
(23 Oct '17, 08:35)
grahamb ♦
WTF!?
(23 Oct '17, 09:57)
alex31337
Works for me (as in doesn't show an error). What version of tshark? If I induce an error I get this kind of output:
(23 Oct '17, 11:31)
grahamb ♦
TShark 1.12.1
(23 Oct '17, 11:51)
alex31337
I've updated to 2.4.2, now "-T fields -e tds.query" doesnt print error! But I see no SQL-instructions, but blank lines -( Can you see SELECT,INSERT, UPDATE etc after you print "tshark.exe -r capture.pcapng -T fields -e tds.query"?
(23 Oct '17, 12:27)
alex31337
That's EOL-ed over a year ago. Please find a way to upgrade.
(23 Oct '17, 12:29)
Jaap ♦
Without seeing your actual file, it is just guessing, but could it be that you have also other than
(23 Oct '17, 12:54)
sindy
As I mentioned, the comment in the code next to tds.query mentions "SQL Batch Stream", so I'm not sure if the field shows all SQL query strings. I don't have a tds capture to test. maybe you can share one with us to help out?
(23 Oct '17, 13:53)
grahamb ♦
showing 5 of 14
show 9 more comments
|