TNS 協議傳輸可以使用 TCP/IP 協議、使用 SSL 的 TCP/IP 協議、命名管道和 IPC 協議傳輸，其中 TCP/IP 協議傳輸是使 用明文傳送。

這里只分析基于 TCP/IP 協議上的 TNS 數據。

簡介

TNS(Transparent Network Substrate) 協議用于客戶端連接Oracle數據庫，它可以使用其他一些協議進行通信，如：TCP/IP, IPX/SPX, IPC, Named Pipes等。

結構

TNS 包由一個header和payload 組成

0 8 16 31

+--------------+--------------+

| Packet Length| Packet Chksm |

+------+-------+--------------+ 8 byte header

| Type | Rsrvd | Header Chksm |

+------+-------+--------------+

| P A Y L O A D |

+-----------------------------+

字段說明：

Packet Length: 包長度字段

Packet Chksm：檢測包

Header Chksm: 檢測頭

Type:??????? ?包類型

Rsrvd:?????? ?未使用

如上圖：Packet Chksm 和 Header Chksm 通常是不變的，值為0.

Type字段是包的類型字段, 下面列出type 值對應的類型說明：

Type

Description

1

Connect

2

Accept

3

ACK

4

Refuse

5

Redirect

6

Data

7

NULL

8

----

9

ABORT

10

----

11

Resend

12

Marker

13

Attention

14

Control

Payload

Connect

連接類型數據如下所示：

Transparent Network Substrate Protocol

Packet Length: 254

Packet Checksum: 0x0000

Packet Type: Connect (1)

Reserved Byte: 00

Header Checksum: 0x0000

Connect

Version: 313

Version (Compatible): 300

Service Options: 0x0000

Session Data Unit Size: 2048

Maximum Transmission Data Unit Size: 32767

NT Protocol Characteristics: 0xc60e

Line Turnaround Value: 0

Value of 1 in Hardware: 0100

Length of Connect Data: 196

Offset to Connect Data: 58

Maximum Receivable Connect Data: 512

Connect Flags 0: 0x61

Connect Flags 1: 0x61

Trace Cross Facility Item 1: 0x00000000

Trace Cross Facility Item 2: 0x00000000

Trace Unique Connection ID: 0x0000000000000000

Connect Data: (DESCRIPTION=(CONNECT_DATA=(SERVICE_NAME=ORCL)(CID=(PROGRAM=

C:\oracle\product\10.2.0\client_1\bin\sqlplus.exe)

(HOST=WINXPSP2)(USER=vmware)))(ADDRESS=(PROTOCOL=TCP)

(HOST=192.168.1.102)(PORT=1521)))

0.018134 192.168.1.108 192.168.1.102 TNS Request, Connect (1), Connect

0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.

0010 01 26 05 0b 40 00 80 06 70 a4 c0 a8 01 6c c0 a8 .&..@...p....l..

0020 01 66 04 66 05 f1 ac 94 a7 3e 66 d2 7e ee 50 18 .f.f.....>f.~.P.

0030 ff ff 15 91 00 00 00 fe 00 00 01 00 00 00 01 39 ...............9

0040 01 2c 00 00 08 00 7f ff c6 0e 00 00 01 00 00 c4 .,..............

0050 00 3a 00 00 02 00 61 61 00 00 00 00 00 00 00 00 .:....aa........

0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0070 28 44 45 53 43 52 49 50 54 49 4f 4e 3d 28 43 4f (DESCRIPTION=(CO

0080 4e 4e 45 43 54 5f 44 41 54 41 3d 28 53 45 52 56 NNECT_DATA=(SERV

0090 49 43 45 5f 4e 41 4d 45 3d 4f 52 43 4c 29 28 43 ICE_NAME=ORCL)(C

00a0 49 44 3d 28 50 52 4f 47 52 41 4d 3d 43 3a 5c 6f ID=(PROGRAM=C:\o

00b0 72 61 63 6c 65 5c 70 72 6f 64 75 63 74 5c 31 30 racle\product\10

00c0 2e 32 2e 30 5c 63 6c 69 65 6e 74 5f 31 5c 62 69 .2.0\client_1\bi

00d0 6e 5c 73 71 6c 70 6c 75 73 2e 65 78 65 29 28 48 n\sqlplus.exe)(H

00e0 4f 53 54 3d 57 49 4e 58 50 53 50 32 29 28 55 53 OST=WINXPSP2)(US

00f0 45 52 3d 76 6d 77 61 72 65 29 29 29 28 41 44 44 ER=vmware)))(ADD

0100 52 45 53 53 3d 28 50 52 4f 54 4f 43 4f 4c 3d 54 RESS=(PROTOCOL=T

0110 43 50 29 28 48 4f 53 54 3d 31 39 32 2e 31 36 38 CP)(HOST=192.168

0120 2e 31 2e 31 30 32 29 28 50 4f 52 54 3d 31 35 32 .1.102)(PORT=152

0130 31 29 29 29 1)))

Accept

接收類型數據如下所示：

Transparent Network Substrate Protocol

Packet Length: 32

Packet Checksum: 0x0000

Packet Type: Accept (2)

Reserved Byte: 04

Header Checksum: 0x0000

Accept

Version: 312

Service Options: 0x0000

Session Data Unit Size: 2048

Maximum Transmission Data Unit Size: 32767

Value of 1 in Hardware: 0100

Accept Data Length: 0

Offset to Accept Data: 32

Connect Flags 0: 0x61

Connect Flags 1: 0x61

00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00 ..)..=..).....E.

00 48 7c cf 40 00 80 06 f9 bd c0 a8 01 66 c0 a8 .H|.@........f..

01 6c 11 d9 04 67 b6 88 7a 22 0e a7 cb 81 50 18 .l...g..z"....P.

ff 01 1d 97 00 00 00 20 00 00 02 04 00 00 01 38 ....... .......8

00 00 08 00 7f ff 01 00 00 00 00 20 61 61 00 00 ........... aa..

00 00 00 00 00 00 ......

Refuse

拒絕類型數據如下所示：

0.047753 192.168.1.102 192.168.1.108 TNS Response, Refuse (4), Refuse

00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00 ..)..=..).....E.

00 8f 53 e2 40 00 80 06 22 64 c0 a8 01 66 c0 a8 ..S.@..."d...f..

01 6c 05 f1 04 0d e8 a0 2d 2b 67 0d 99 85 50 18 .l......-+g...P.

fe ff 59 03 00 00 00 67 00 00 04 00 00 00 22 00 ..Y....g......".

00 5b 28 44 45 53 43 52 49 50 54 49 4f 4e 3d 28 .[(DESCRIPTION=(

54 4d 50 3d 29 28 56 53 4e 4e 55 4d 3d 31 35 33 TMP=)(VSNNUM=153

30 39 32 33 35 32 29 28 45 52 52 3d 31 32 35 31 092352)(ERR=1251

34 29 28 45 52 52 4f 52 5f 53 54 41 43 4b 3d 28 4)(ERROR_STACK=(

45 52 52 4f 52 3d 28 43 4f 44 45 3d 31 32 35 31 ERROR=(CODE=1251

34 29 28 45 4d 46 49 3d 34 29 29 29 29 4)(EMFI=4))))

如果有下面的錯誤則產生拒絕包：

TNS-12514 - TNS:listener could not resolve SERVICE_NAME given in connect descriptor?caused by invalid SID string provided in the connect string.

Data Packet

DATA 包是類型6，包括2個字節的 flag 標志位，1字節的 packet id，可選的 TTI id，還有數據本身。

0 16 24 31

+-----------+----+-----+

| Data Flag | ID ||

+----------------------+

| D A T A |

+----------------------+

字段說明：

l? Data Flag: 數據標識

l? ID：????? 包ID

l? TTI:?????? TTI(Two-Task Interface) ID

l? DATA:???? 有效數據

Data Flag 通常是 0x0000， 當所有數據發送完畢指示文件結尾，值為 0x0040

下面是列出了有效的數據包ID:

ID:0x01

描述：協議協商。下面這些標識是可以接受的協議版本：

0x06 0x05 0x04 0x03 0x02 0x01 0x00

客戶端平臺字符串像：IBMPC/WIN_NT-8.1.0

示例：

0.277372 192.168.1.108 192.168.1.102 TCP kwdb-commn > iax

[PSH, ACK] Seq=786 Ack=425 Win=65111 Len=37

0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.

0010 00 4d 05 14 40 00 80 06 71 74 c0 a8 01 6c c0 a8 .M..@...qt...l..

0020 01 66 04 67 11 d9 0e a7 cd 94 b6 88 7b ca 50 18 .f.g........{.P.

0030 fe 57 a0 d0 00 00 00 25 00 00 06 04 00 00 00 00 .W.....%........

0040 01 06 05 04 03 02 01 00 49 42 4d 50 43 2f 57 49 ........IBMPC/WI

0050 4e 5f 4e 54 2d 38 2e 31 2e 30 00 N_NT-8.1.0.

ID:0x02

描述：交換數據類型

示例：

0.437308 192.168.1.108 192.168.1.102 TCP kwdb-commn > iax

[PSH, ACK] Seq=823 Ack=589 Win=64947 Len=67

0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.

0010 00 6b 05 15 40 00 80 06 71 55 c0 a8 01 6c c0 a8 .k..@...qU...l..

0020 01 66 04 67 11 d9 0e a7 cd b9 b6 88 7c 6e 50 18 .f.g........|nP.

0030 fd b3 81 e2 00 00 00 43 00 00 06 04 00 00 00 00 .......C........

0040 02 b2 00 b2 00 52 21 06 01 01 01 0d 01 01 04 01 .....R!.........

0050 01 01 01 01 01 01 ff ff 03 08 03 00 01 00 3f 01 ..............?.

0060 07 3f 01 01 01 01 03 01 05 02 01 00 00 18 80 00 .?..............

0070 00 00 3c 3c 3c 80 00 00 00 ..<<<....>

ID:0x03

描述：?TTI (Two-Task Interface)功能，作用是描述即將到來的數據包ID下面是一個TTI ID列表：

0x02 Open

0x03 Query

0x04 Execute

0x05 Fetch

0x08 Close

0x09 Disconnect/logoff

0x0C AutoCommit ON

0x0D AutoCommit OFF

0x0E Commit

0x0F Rollback

0x14 Cancel

0x2B Describe

0x30 Startup

0x31 Shutdown

0x3B Version

0x43 K2 Transactions

0x47 Query

0x4A OSQL7

0x5C OKOD

0x5E Query

0x60 LOB Operations

0x62 ODNY

0x67 Transaction - end

0x68 Transaction - begin

0x69 OCCA

0x6D Startup

0x51 Logon (present password)

0x52 Logon (present username)

0x73 Logon (present password - send AUTH_PASSWORD)

0x76 Logon (present username - request AUTH_SESSKEY)

0x77 Describe

0x7F OOTCM

0x8B OKPFC

示例：

0.475183 192.168.1.108 192.168.1.102 TCP kwdb-commn > iax

[PSH, ACK] Seq=890 Ack=611 Win=64925 Len=224

00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.

01 08 05 16 40 00 80 06 70 b7 c0 a8 01 6c c0 a8 ....@...p....l..

01 66 04 67 11 d9 0e a7 cd fc b6 88 7c 84 50 18 .f.g........|.P.

fd 9d 8a 2d 00 00 00 e0 00 00 06 04 00 00 00 00 ...-............

03 76 02 6c c8 d5 00 06 00 00 00 01 00 00 00 38 .v.l...........8

c3 12 00 05 00 00 00 e0 bf 12 00 08 c5 12 00 06 ................

53 59 53 54 45 4d 0d 00 00 00 0d 41 55 54 48 5f SYSTEM.....AUTH_

54 45 52 4d 49 4e 41 4c 08 00 00 00 08 57 49 4e TERMINAL.....WIN

58 50 53 50 32 00 00 00 00 0f 00 00 00 0f 41 55 XPSP2.........AU

54 48 5f 50 52 4f 47 52 41 4d 5f 4e 4d 0b 00 00 TH_PROGRAM_NM...

00a0 00 0b 73 71 6c 70 6c 75 73 2e 65 78 65 00 00 00 ..sqlplus.exe...

00b0 00 0c 00 00 00 0c 41 55 54 48 5f 4d 41 43 48 49 ......AUTH_MACHI

00c0 4e 45 12 00 00 00 12 57 4f 52 4b 47 52 4f 55 50 NE.....WORKGROUP

00d0 5c 57 49 4e 58 50 53 50 32 00 00 00 00 08 00 00 \WINXPSP2.......

00e0 00 08 41 55 54 48 5f 50 49 44 07 00 00 00 07 36 ..AUTH_PID.....6

00f0 36 38 3a 39 33 32 00 00 00 00 08 00 00 00 08 41 68:932.........A

55 54 48 5f 53 49 44 06 00 00 00 06 76 6d 77 61 UTH_SID.....vmwa

72 65 00 00 00 00 re....

ID:0x08

描述：“OK”服務器給客戶端的響應

示例：

0.568852 192.168.1.102 192.168.1.108 TCP iax > kwdb-commn

[PSH, ACK] Seq=611 Ack=1114 Win=64422 Len=165

0000 00 0c 29 fd 07 3d 00 0c 29 0c 9a c7 08 00 45 00 ..)..=..).....E.

0010 00 cd 7c d5 40 00 80 06 f9 32 c0 a8 01 66 c0 a8 ..|.@....2...f..

0020 01 6c 11 d9 04 67 b6 88 7c 84 0e a7 ce dc 50 18 .l...g..|.....P.

0030 fb a6 21 cf 00 00 00 a5 00 00 06 04 00 00 00 00 ..!.............

0040 08 01 00 0c 00 00 00 0c 41 55 54 48 5f 53 45 53 ........AUTH_SES

0050 53 4b 45 59 20 00 00 00 20 32 33 42 37 31 36 30 SKEY ... 23B7160

0060 34 42 42 42 38 44 39 43 37 31 32 44 43 35 35 44 4BBB8D9C712DC55D

0070 34 30 38 36 43 32 32 42 32 00 00 00 00 04 01 00 4086C22B2.......

0080 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00a0 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 ................

00b0 00 00 00 36 01 00 00 00 00 00 00 0c 41 21 00 00 ...6........A!..

00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

00d0 00 00 00 00 00 00 00 00 00 00 00 ...........

ID:0x11

描述：TTI (Two-Task Interface)功能擴展，下面是一些附加的標志

0x6b 開關或者分離會話

0x78 關閉

0x87 OSCID

0x9A OKEYVAL

示例：

0.972469 192.168.1.108 192.168.1.102 TCP kwdb-commn > iax

[PSH, ACK] Seq=2104 Ack=1162 Win=64374 Len=44

0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.

0010 00 54 05 19 40 00 80 06 71 68 c0 a8 01 6c c0 a8 .T..@...qh...l..

0020 01 66 04 67 11 d9 0e a7 d2 ba b6 88 7e ab 50 18 .f.g........~.P.

0030 fb 76 0e be 00 00 00 2c 00 00 06 04 00 00 00 00 .v.....,........

0040 11 6b 04 09 00 00 00 d3 00 00 00 01 00 00 00 03 .k..............

0050 3b 05 94 fb 12 00 f4 01 00 00 70 fa 12 00 6c fa ;.........p...l.

0060 12 00

ID:0x20

描述：使用外部的程序和服務注冊

示例：

ID:0x44

描述：使用外部的程序和服務注冊

示例：

ID:0xdeadbeef

描述：附加網絡選項，客戶端可協商附加連接熟悉，例如：認證，加密，數據完整性，監控，

注意：wireshark 中叫這個包為 Secure Network Services

示例：

0.094489 192.168.1.108 192.168.1.102 TNS Response, Data (6), SNS

0000 00 0c 29 0c 9a c7 00 0c 29 fd 07 3d 08 00 45 00 ..).....)..=..E.

0010 00 d0 05 11 40 00 80 06 70 f4 c0 a8 01 6c c0 a8 ....@...p....l..

0020 01 66 04 67 11 d9 0e a7 cb 81 b6 88 7a 42 50 18 .f.g........zBP.

0030 ff df 98 ef 00 00 00 a8 00 00 06 04 00 00 00 00 ................

0040 dead beef 00 9e 0a 20 01 00 00 04 00 00 04 00 ....... ........

0050 03 00 00 00 00 00 04 00 05 0a 20 01 00 00 08 00 .......... .....

0060 01 00 00 02 9c 00 c7 c7 f3 00 12 00 01 de ad be ................

0070 ef 00 03 00 00 00 04 00 04 00 01 00 01 00 02 00 ................

0080 01 00 05 00 00 00 00 00 04 00 05 0a 20 01 00 00 ............ ...

0090 02 00 03 e0 e1 00 02 00 06 fc ff 00 01 00 02 01 ................

00a0 00 03 00 00 4e 54 53 00 02 00 02 00 00 00 00 00 ....NTS.........

00b0 04 00 05 0a 20 01 00 00 0c 00 01 00 11 06 10 0c .... ...........

00c0 0f 0a 0b 08 02 01 03 00 03 00 02 00 00 00 00 00 ................

00d0 04 00 05 0a 20 01 00 00 03 00 01 00 03 01 .... .........

根據 "Oracle Hacker's Handbook" 這是一個bug 在所有版本的oracle。

當一個服務器解析一個 DATA 數據包時，DATA? flags的第二個bit 設置但第一個bit(最低位)未設置(例如：2,6,10,14等等)。當服務器接收這樣的包，它會陷入一個無限循環，占有所有的CPU處理時間。顯然這對服務器性能產生負面影響。

上面是翻譯國外的一篇博客，原文連接如下：

總結

以上是生活随笔為你收集整理的抓包oracle密码,Oracle TNS 协议抓包分析的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。