Wireshark-bugs: [Wireshark-bugs] [Bug 7622] New: [Malformed Packet: TDS] DONE token breakout has
Date: Sun, 12 Aug 2012 13:51:34 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=7622

           Summary: [Malformed Packet: TDS] DONE token breakout has wrong
                    length
           Product: Wireshark
           Version: 1.8.1
          Platform: x86
        OS/Version: Windows XP
            Status: NEW
          Severity: Normal
          Priority: Low
         Component: Dissection engine (libwireshark)
        AssignedTo: bugzilla-admin@xxxxxxxxxxxxx
        ReportedBy: david.sandman@xxxxxxxxxx


Created attachment 8944
  --> https://bugs.wireshark.org/bugzilla/attachment.cgi?id=8944
exported the packets for file > export. did a range of 12 - 15

Build Information:
Version 1.8.1 (SVN Rev 43946 from /trunk-1.8)

Copyright 1998-2012 Gerald Combs <gerald@xxxxxxxxxxxxx> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GTK+ 2.24.10, with Cairo 1.10.2, with Pango 1.30.0, with
GLib 2.32.2, with WinPcap (4_1_2), with libz 1.2.5, without POSIX capabilities,
with SMI 0.4.8, with c-ares 1.7.1, with Lua 5.1, without Python, with GnuTLS
2.12.18, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP, with PortAudio
V19-devel (built Jul 23 2012), with AirPcap.

Running on Windows XP Service Pack 3, build 2600, with WinPcap version 4.1
beta5
(packet.dll version 4.1.0.1452), based on libpcap version 1.0.0, GnuTLS
2.12.18,
Gcrypt 1.4.6, without AirPcap.

Built using Microsoft Visual C++ 10.0 build 40219

Wireshark is Open Source Software released under the GNU General Public
License.

Check the man page and http://www.wireshark.org for more information.

--
DoneRowCount should be 8 Bytes long as of TDS 7.2

>From specification [MS-TDS].pdf
DoneRowCount = LONG / ULONGLONG; (Changed to ULONGLONG in TDS 7.2)

This is in the response (04) to the login request in clear text
I addeded an attachment of a file > export of a a range of packets that show
the pre-login request, response, login request, response(Malformed)

There is a SQL Server version field in the login ACK token in the same packet
that might be used to determine TDS version. The actual TDSVersion is in the
pre-login if you can retain that data for subsequent packet breakouts.

Thankx
David Sandman
Load Test Engineering Consultant
BCBS of SC

Incase you can not read that, here is a copy/past of the displayed packet
0000  00 23 ae b1 67 27 00 21  d8 b7 c0 40 08 00 45 00   .#..g'.! ...@..E.
0010  01 f5 38 4a 40 00 7c 06  a7 8a 0a b4 ff 39 0a 1e   ..8J@.|. .....9..
0020  09 23 05 99 0e 94 cd 6e  30 a7 70 24 f2 7a 50 18   .#.....n 0.p$.zP.
0030  f9 da 01 47 00 00 04 01  01 cd 00 36 01 00 e3 17   ...G.... ...6....
0040  00 01 04 55 00 4e 00 49  00 54 00 06 6d 00 61 00   ...U.N.I .T..m.a.
0050  73 00 74 00 65 00 72 00  ab 8e 00 45 16 00 00 02   s.t.e.r. ...E....
0060  00 23 00 43 00 68 00 61  00 6e 00 67 00 65 00 64   .#.C.h.a .n.g.e.d
0070  00 20 00 64 00 61 00 74  00 61 00 62 00 61 00 73   . .d.a.t .a.b.a.s
0080  00 65 00 20 00 63 00 6f  00 6e 00 74 00 65 00 78   .e. .c.o .n.t.e.x
0090  00 74 00 20 00 74 00 6f  00 20 00 27 00 55 00 4e   .t. .t.o . .'.U.N
00a0  00 49 00 54 00 27 00 2e  00 1d 41 00 37 00 30 00   .I.T.'.. ..A.7.0.
00b0  54 00 55 00 43 00 4f 00  4d 00 50 00 41 00 59 00   T.U.C.O. M.P.A.Y.
00c0  44 00 30 00 30 00 31 00  5c 00 55 00 43 00 4f 00   D.0.0.1. \.U.C.O.
00d0  4d 00 50 00 41 00 59 00  44 00 30 00 30 00 31 00   M.P.A.Y. D.0.0.1.
00e0  44 00 42 00 00 01 00 00  00 e3 08 00 07 05 09 04   D.B..... ........
00f0  d0 00 34 00 e3 17 00 02  0a 75 00 73 00 5f 00 65   ..4..... .u.s._.e
0100  00 6e 00 67 00 6c 00 69  00 73 00 68 00 00 ab 96   .n.g.l.i .s.h....
0110  00 47 16 00 00 01 00 27  00 43 00 68 00 61 00 6e   .G.....' .C.h.a.n
0120  00 67 00 65 00 64 00 20  00 6c 00 61 00 6e 00 67   .g.e.d.  .l.a.n.g
0130  00 75 00 61 00 67 00 65  00 20 00 73 00 65 00 74   .u.a.g.e . .s.e.t
0140  00 74 00 69 00 6e 00 67  00 20 00 74 00 6f 00 20   .t.i.n.g . .t.o. 
0150  00 75 00 73 00 5f 00 65  00 6e 00 67 00 6c 00 69   .u.s._.e .n.g.l.i
0160  00 73 00 68 00 2e 00 1d  41 00 37 00 30 00 54 00   .s.h.... A.7.0.T.
0170  55 00 43 00 4f 00 4d 00  50 00 41 00 59 00 44 00   U.C.O.M. P.A.Y.D.
0180  30 00 30 00 31 00 5c 00  55 00 43 00 4f 00 4d 00   0.0.1.\. U.C.O.M.
0190  50 00 41 00 59 00 44 00  30 00 30 00 31 00 44 00   P.A.Y.D. 0.0.1.D.
01a0  42 00 00 01 00 00 00 ad  36 00 01 73 0b 00 03 16   B....... 6..s....
01b0  4d 00 69 00 63 00 72 00  6f 00 73 00 6f 00 66 00   M.i.c.r. o.s.o.f.
01c0  74 00 20 00 53 00 51 00  4c 00 20 00 53 00 65 00   t. .S.Q. L. .S.e.
01d0  72 00 76 00 65 00 72 00  00 00 00 00 0a 32 0a d4   r.v.e.r. .....2..
01e0  e3 13 00 04 04 34 00 30  00 39 00 36 00 04 34 00   .....4.0 .9.6..4.
01f0  30 00 39 00 36 00 fd 00  00 00 00 00 00 00 00 00   0.9.6... ........
0200  00 00 00                                           ...

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.