This project forked from zcorning/tds-capture-parser
This program parses network capture files (.pcapng) that contain TCP wrapped TDS 4.0 packets. It extracts the SQL Batch and Response packet data.
This is a parser for network capture files (.pcapng) using TDS 4.0 packets
wrapped with TCP. The program extracts only the SQL Batches and the Responses
from the packets. It displays the queries and responses in a readable format so
the user can tell exactly what query caused what response.
Usage:
1. Create/locate a network capture file (.pcapng).
- ex. use Wireshark to create this file by capturing network traffic
- Make sure packets use TDS 4.0 and TCP
2. run ./extract <file.pcapng>
Implementation Details:
extract:
- This is a bash script that creates two files for the Python parser to
use. The first file is created using the tshark command, so tshark
(associated with Wireshark) must be installed. This file leverages
Wireshark's built in TDS parser to convert the capture file to ascii. The
second file uses tshark to output the hexidecimal representation of the
.pcapng file (the -x flag) which also contains the ascii. This is necessary
because Wireshark (and tshark output) truncate the SQL Batches when the
data is longer than 240 characters. The second file, however, does not
contain the response packet information which is why both files are
necessary. The program then calls ./parser which reads both files and
outputs the resulting SQL and Responses. Then, both temporary files are
deleted.
parser:
- The parser parses the first file (tshark output) by frame. Each frame
represents one TDS packet. The two types of packets it looks for are SQL
Batch packets and Response packets (with data). For SQL Batch packets, if
the query is not truncated, then the query can be easily parsed from the
tshark output. Otherwise, the parser searches for the truncated query in
the other file (which contains the entire query). Lastly, some SQL Batch
packets seem to have no Query field, and instead have only a Data field.
In this case, the parser is also able to extract the query from the Data
field. If any SQL Batch is invalid, the parser will print "SQL Batch:
Invalid" to show that it found a SQL Batch packet but could not extract the
query.
- For Response packets, the parser extracts the data in tabular format. It
uses the ColNames field to first get the names of the columns. Then it uses
the row fields to fill in the table with the correct data. If the response
does not contain a data table, then the response is not printed at all.
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.