SQL Parsers with Message Analyzer. Eric Bortei-Doku

Transcription

1 SQL Parsers with Message Analyzer Eric Bortei-Doku

2 Agenda Message Analyzer Overview Simplified Operation Message Analyzer Parsers Overview Desktop UI Demos Analyzing Local Ping Traffic Analyzing a Capture File (MS-TDS) SQL Parsers with Message Analyzer

3 Message Analyzer Overview Can be used to capture, display, analyze protocol messaging traffic Captured info can be: Used for network diagnostics, protocol validation/analysis etc. Saved for later processing Can save traffic info as.matp or a.cap Can track local traffic, or traffic to and from remote machines

4 Message Analyzer Simplified Operation

5 Message Analyzer Simplified Operation

6 Message Analyzer Parsers Overview Recognize specific messages in network traffic Reassemble packets into long chained message Message Syntax Parsing Maps data values with definitions provided by doc for the protocol Decodes any encoded XML stream to provide clear layout of structure in MA UI Beyond the message syntax validation, parsers can also provide the protocol level restriction validation

7 Message Analyzer Parsers Overview

8 Message Analyzer Desktop UI

9 Message Analyzer Viewing Message Traffic

10 ONE Analyzing a local Trace

11 Run and Analyze local Ping Traffic We will do the following: 1. Open a Command Prompt window 2. Enter the following command: ipconfig 3. Note the IPV4 and Default Gateway addresses for your computer 4. Launch Message Analyzer (MA) as an Administrator 5. Start a local trace in MA 6. Switch to the Command Prompt window and Enter the following: ping <your Default Gateway address> 7. Return to the MA UI and Stop the local trace

12 Your IPV4 and Default Gateway Addresses

13 Launching Message Analyzer Desktop UI Launching Message Analyzer as an Administrator gives you access to more features. For example, you can run a local trace.

14 Message Analyzer Local Trace Results

15 Applying Filters to Trace Results

16 Effective Filtering of Message Traffic 1. Apply the IPV4 address filter to the results: IPV4.Address==<your IPV4 address> 2. Scroll through results, note IP addresses in the Source and Destination columns 3. Look for Request and Response message pairs, with Source and Destination address matching your IPV4 and Default Gateway addresses. 4. Notice Module name for these messages: ICMP 5. Remove filter used in Step 1, then apply the following filter: ICMP

17 Message Analyzer - Ping Traffic

18 TWO Analyzing a.cap File

19 The Scenario for this Demo This demo represents the analysis portion of the following scenario: 1. You launched Message Analyzer (MA) and configured it to monitor an application s message traffic 2. Your application communicates with a database using the MS-TDS protocol 3. You launched your application and allowed MA to capture network traffic until your application received a response from the database 4. You stopped message capture and saved info as a.cap file

20 Configure MA to Capture Application Messages

21 Configure MA to Capture Application Messages

22 Save Captured Application Messages

23 Analyze a.cap File (MS-TDS) We will do the following: 1. In the MA UI, select File > Open 2. Navigate to the saved.cap file, and open it 3. Filter the message traffic to look for MS-TDS communication 4. Compare captured MS-TDS message traffic with what the application requested from the database

24 Viewing Captured Application Messages in MA

25 SQL Parsers with Message Analyzer

26 The Parser s Role Recognize the SQL protocol messages in network traffic Reassemble packets into long chained message Message Syntax Parsing Parsing the raw data based on the message syntax defined in Microsoft open specification. Maps data values with definitions provided by doc for the protocol Decodes any encoded XML stream to provide clear layout of structure in MA UI Beyond the message syntax validation, parsers can also provide the protocol level restriction validation

27 Parsers and Message Analyzer

28 The Parser s Role

29 Interpreting Raw Captured Application Messages ASCII and Hex values:

30 Interpreting Raw Captured Application Messages One byte (binary): One byte (Hex): 0x00 0xFF

31 Resources Protocols Open Specifications, SQL Server Technical Documents [MS-TDS] - Microsoft Tabular Data Stream protocol specification Interop Events website Support Forums Protocols Message Analyzer Microsoft Message Analyzer Operating Guide Message Analyzer Download

32 Thank you