This program parses network capture files (.pcapng) that contain TCP wrapped TDS 4.0 packets. It extracts the SQL Batch and Response packet data.
Shell 3.55%Python 96.45%
tds-capture-parser's Introduction
This is a parser for network capture files (.pcapng) using TDS 4.0 packets
wrapped with TCP. The program extracts only the SQL Batches and the Responses
from the packets. It displays the queries and responses in a readable format so
the user can tell exactly what query caused what response.
Usage:
1. Create/locate a network capture file (.pcapng).
- ex. use Wireshark to create this file by capturing network traffic
- Make sure packets use TDS 4.0 and TCP
2. run ./extract <file.pcapng>
Implementation Details:
extract:
- This is a bash script that creates two files for the Python parser to
use. The first file is created using the tshark command, so tshark
(associated with Wireshark) must be installed. This file leverages
Wireshark's built in TDS parser to convert the capture file to ascii. The
second file uses tshark to output the hexidecimal representation of the
.pcapng file (the -x flag) which also contains the ascii. This is necessary
because Wireshark (and tshark output) truncate the SQL Batches when the
data is longer than 240 characters. The second file, however, does not
contain the response packet information which is why both files are
necessary. The program then calls ./parser which reads both files and
outputs the resulting SQL and Responses. Then, both temporary files are
deleted.
parser:
- The parser parses the first file (tshark output) by frame. Each frame
represents one TDS packet. The two types of packets it looks for are SQL
Batch packets and Response packets (with data). For SQL Batch packets, if
the query is not truncated, then the query can be easily parsed from the
tshark output. Otherwise, the parser searches for the truncated query in
the other file (which contains the entire query). Lastly, some SQL Batch
packets seem to have no Query field, and instead have only a Data field.
In this case, the parser is also able to extract the query from the Data
field. If any SQL Batch is invalid, the parser will print "SQL Batch:
Invalid" to show that it found a SQL Batch packet but could not extract the
query.
- For Response packets, the parser extracts the data in tabular format. It
uses the ColNames field to first get the names of the columns. Then it uses
the row fields to fill in the table with the correct data. If the response
does not contain a data table, then the response is not printed at all.