I can capture the packets using wireshark, but I can't decode the stream into anything intelligible. This bug suggests that maybe this isn't possible in SQL Server 2005 or newer... https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3098, but several people on Stack Overflow claimed this was a good method in answers to this question: How to SQL Server traffic is encrypted?. Any help appreciated.
问题:
回答1:
Edit (2017-05-02): Microsoft Network Monitor - has been replaced by Microsoft Message Analyzer - which serves the same purpose. See also comment below this answer or the answer further down for how to use it!
Original Answer:
There is another much underrated tool from Microsoft itself: 'Microsoft Network Monitor'. Basically this is very similar to wireshark with the exception that some specific MS protocols have better parser and visualisation support than wireshark itself and obviously it would only run under windows ;-).
The tool is quite old and looks abandoned (havn't seen a newer release so far) but still does an good job and the grammar for defining new protocols is quite neat/interesting - so this still possess a lot of power for the future.
Analysis Example - Recording is filtered for TDS - so the other packets are discared mostly:
This is also true for sql server connections. The MNM can even visualize the resultsets going over the wire - quite neat. Nonetheless wireshark as mentioned above would be sufficient to validate encryption and applied certificates on the wire itself. Means it can understand the TDS-Protocoll fully.
Handling TLS
Also with an extension (so called experts) 'NmDecrypt' and the right certificates (including private keys) - it is possible to decrypt protocolls - quite nice for TDS which uses TLS INSIDE of TDS - no wonder - no one has really implemented that yet as a fully supported protocoll for wireshark ;)
So far - regarding MSSQL-Traffic - or to be more precice TDS-Protocol this is the best tool I've come across so far. Wireshark is cool - but in this case MNM is 'better'. Have phun! ;)
Links for the tools:
- Microsoft Network Monitor: http://www.microsoft.com/en-us/download/details.aspx?id=4865
- NMDecrypt: http://nmdecrypt.codeplex.com/releases/view/85581
回答2:
Not wireshark, but for me the Microsoft Message Analyzer worked great for that.
To get all the sent commands
- Start a new session
- Add Live Trace as as Data Source
- Select Scenario (I chose Local Network Interfaces)
- Enter a session filter expression like *address == 10.1.2.129 to filter only traffic to your sql server.
- Click start
- Right click on column header in the massage table and select Add columns...
- Add TDS > SQLBatch > SqlBatchPacketData > SQLText
This should give you something like the following
Unfortunately there is no autoscroll implemented at the moment, but you can sort by timestamp and have the new queries popping up at the top.
回答3:
The question that you are refering to is how to prove that the traffic is encrypted.
So they were using wireshark to show that you could not read it.
The encryption was weak on earlier versions of SQL server, but I don't think that it is easy to decrypt SQL Server 2005 traffic.
回答4:
Wireshark decodes and shows you captured data when understand the protocol (and layer). That means the captured data isn't encripted. If the data is encripted (SSL, ie), WS will only show SSL handshakes and raw data.