microsoft
diff --git a/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo‎
-1 KB b/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo‎
-1 KB
diff --git a/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide‎
0 Bytes b/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide‎
0 Bytes
diff --git a/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm‎
0 Bytes b/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-shm‎
0 Bytes
diff --git a/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal‎
0 Bytes b/‎SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/Server/sqlite3/storage.ide-wal‎
0 Bytes
diff --git a/‎SQL_Network_Analyzer/SQLNA/ConversationData.cs‎
Lines changed: 39 additions & 4 deletions b/‎SQL_Network_Analyzer/SQLNA/ConversationData.cs‎
Lines changed: 39 additions & 4 deletions
diff --git a/‎SQL_Network_Analyzer/SQLNA/FrameData.cs‎
Lines changed: 8 additions & 2 deletions b/‎SQL_Network_Analyzer/SQLNA/FrameData.cs‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎SQL_Network_Analyzer/SQLNA/OutputText.cs‎
Lines changed: 193 additions & 1 deletion b/‎SQL_Network_Analyzer/SQLNA/OutputText.cs‎
Lines changed: 193 additions & 1 deletion
diff --git a/‎SQL_Network_Analyzer/SQLNA/Parser.cs‎
Lines changed: 12 additions & 0 deletions b/‎SQL_Network_Analyzer/SQLNA/Parser.cs‎
Lines changed: 12 additions & 0 deletions
@@ -77,9 +77,9 @@ public class ConversationData              //              - constructed in GetI
         public bool hasTDS = false;                 //   - set in ProcessTDS
         public bool hasTDS8 = false;                //   - set in ProcessTDS
         public bool isSQL = false;                  //   - set in ProcessTDS
-        public bool isEncrypted = false;            //   - set in GetServerPreloginInfo
-        public bool isEncRequired = false;          //   - set in 
-        public bool isMARSEnabled = false;          //   - set in ProcessTDS - in PreLogin packet
+        public bool isEncrypted = false;            //   - set in GetServerPreloginInfo and GetClientPreloginInfo
+        public bool isEncRequired = false;          //   - set in GetServerPreloginInfo
+        public bool isMARSEnabled = false;          //   - set in GetClientPreloginInfo
         public bool hasPrelogin = false;            //   - set in ProcessTDS
         public bool hasPreloginResponse = false;    //   - set in ProcessTDS
         public bool hasClientSSL = false;           //   - set in ProcessTDS
@@ -95,6 +95,9 @@ public class ConversationData              //              - constructed in GetI
         public bool hasIntegratedSecurity = false;  //   - set in ProcessTDS
         public bool hasPostLoginResponse = false;   //   - set in ProcessTDS   - this contains the ENVCHANGE token - login was a success
         public bool hasDiffieHellman = false;       //   - set in ProcessTDS
+        public bool hasClientZeroWindow = false;    //   - set in ParseTCPFrame
+        public bool hasServerZeroWindow = false;    //   - set in ParseTCPFrame
+        public int zeroWindowCount = 0;             //   - set in ParseTCPFrame
         public int smpSynCount = 0;                 //   - accumulated in ParseTCPFrame
         public int smpAckCount = 0;                 //   - accumulated in ParseTCPFrame
         public int smpFinCount = 0;                 //   - accumulated in ParseTCPFrame
@@ -417,7 +420,39 @@ public string loginFlags
         public string GetPacketList(int start, int length)
         {
             string s = "";
-            for (int i = start; i < start + length; i++) s += ((FrameData)frames[i]).PacketTypeAndDirection + " ";
+            FrameData f = null;
+            string frameType = "";
+
+            // Are we dealing with a Zero Window packet of not
+            bool fzwMode = false;
+            bool fzwFromClient = false;
+            for (int i = start; i < start + length; i++)
+            {
+                f = (FrameData)frames[i];
+                frameType = f.PacketTypeAndDirection + " ";
+
+                if (f.isZeroWindowPacket)  // could flip from client to server - not very likely
+                {
+                    fzwMode = true;
+                    fzwFromClient = f.isFromClient;
+                }
+                else if (fzwMode)
+                {
+                    if (fzwFromClient == f.isFromClient)
+                    {
+                        if (f.windowSize > 0) fzwMode = false;  // exit Zero Window Mode
+                    }
+                    else
+                    {
+                        if (f.isKeepAlive)
+                        {
+                            frameType = (f.isFromClient ? ">" : "<") + "ZWP ";         // Zero Window Probe - looks like a Keep-Alive packet but occurs after a Zero Packet
+                        }
+                    }
+                }
+
+                s += frameType;
+            }
             return s.TrimEnd();
         }
 
 
@@ -103,7 +103,7 @@ public bool isKeepAlive
             get
             {
                 return ((payloadLength == 1) &&
-                        (payload[0] == 0) &&
+                    //    (payload[0] == 0) &&    // not true in 100% of cases
                         ((flags & (byte)TCPFlag.ACK) != 0) &&
                         ((flags & (byte)(TCPFlag.FIN | TCPFlag.FIN | TCPFlag.SYN | TCPFlag.RESET | TCPFlag.PUSH)) == 0));
             }
@@ -134,10 +134,16 @@ public bool hasRESETFlag
             get { return (flags & (byte)TCPFlag.RESET) != 0; }
         }
 
+        public bool isZeroWindowPacket
+        {
+            get { return hasACKFlag && !hasSYNFlag && !hasFINFlag && !hasRESETFlag && windowSize == 0; }
+        }
+
         public string PacketType
         {
             get
             {
+                if (isZeroWindowPacket) return "ZW";
                 if (isKeepAlive) return "KA";
                 if (isRetransmit && payloadLength > 1) return "RET";
 
@@ -165,7 +171,7 @@ public string PacketType
                     case FrameType.SSPI:                 return "SS";
                     case FrameType.TabularResponse:      return "DATA";
                     case FrameType.XactMgrRequest:       return "TX";
-                    default:                             return FormatFlags("");
+                    default:                             return FormatFlags("");   // "" means no dots between flag letters
                 }
             }
         }
 
@@ -29,6 +29,7 @@ public static void TextReport(NetworkTrace Trace)
             if (Program.outputConversationList) DisplaySucessfulLoginReport(Trace);  // optional section; must be explicitly requested
             DisplayResetConnections(Trace);
             DisplayServerClosedConnections(Trace);
+            DisplayZeroWindowConnections(Trace);
             DisplayPktmonDrops(Trace);
             DisplayBadConnections(Trace);
             DisplayLoginErrors(Trace);
@@ -987,6 +988,196 @@ private static void DisplayServerClosedConnections(NetworkTrace Trace)
             }
         }
 
+        private static void DisplayZeroWindowConnections(NetworkTrace Trace)
+        {
+            bool hasError = false;
+
+            long firstTick = 0;
+            long lastTick = 0;
+
+            if (Trace.frames != null && Trace.frames.Count > 0)
+            {
+                firstTick = ((FrameData)Trace.frames[0]).ticks;
+                lastTick = ((FrameData)Trace.frames[Trace.frames.Count - 1]).ticks;
+            }
+
+            foreach (SQLServer s in Trace.sqlServers)
+            {
+                if (s.hasZeroWindow)
+                {
+                    hasError = true;
+                    List<ZeroWindowData> ZeroWindowRecords = new List<ZeroWindowData>();
+
+                    // initialize graph object
+                    TextGraph g = new TextGraph();
+                    g.startTime = new DateTime(firstTick);
+                    g.endTime = new DateTime(lastTick);
+                    g.SetGraphWidth(150);
+                    g.fAbsoluteScale = true;
+                    g.SetCutoffValues(1, 3, 9, 27, 81);
+
+                    string sqlIP = (s.isIPV6) ? utility.FormatIPV6Address(s.sqlIPHi, s.sqlIPLo) : utility.FormatIPV4Address(s.sqlIP);
+
+                    foreach (ConversationData c in s.conversations)
+                    {
+                        if (c.hasClientZeroWindow || c.hasServerZeroWindow)
+                        {
+                            ZeroWindowData zwd = new ZeroWindowData();
+
+                            zwd.clientIP = (c.isIPV6) ? utility.FormatIPV6Address(c.sourceIPHi, c.sourceIPLo) : utility.FormatIPV4Address(c.sourceIP);
+                            zwd.sourcePort = c.sourcePort;
+                            zwd.isIPV6 = c.isIPV6;
+                            zwd.frames = c.frames.Count;
+                            zwd.zwFrame = 0;
+                            zwd.zwFile = 0;
+                            zwd.zwFromClient = c.hasClientZeroWindow;
+                            zwd.zwFromServer = c.hasServerZeroWindow;
+                            zwd.zwCount = c.zeroWindowCount;
+                            zwd.firstFile = Trace.files.IndexOf(((FrameData)(c.frames[0])).file);
+                            zwd.lastFile = Trace.files.IndexOf(((FrameData)(c.frames[c.frames.Count - 1])).file);
+                            zwd.startOffset = ((FrameData)c.frames[0]).ticks - firstTick;
+                            zwd.endTicks = ((FrameData)c.frames[c.frames.Count - 1]).ticks;
+                            zwd.endOffset = zwd.endTicks - firstTick;
+                            zwd.duration = zwd.endOffset - zwd.startOffset;
+                            zwd.endFrames = c.GetLastPacketList(20);
+
+                            for (int i = c.frames.Count - 1; i >= 0; i--)  // search for the last Zero Window frame
+                            {
+                                FrameData f = (FrameData)c.frames[i];
+
+                                if (f.isZeroWindowPacket)
+                                {
+                                    zwd.zwFrame = f.frameNo;
+                                    zwd.zwFile = Trace.files.IndexOf(f.file);
+                                    g.AddData(new DateTime(f.ticks), 1.0); // for graphing
+                                    break;
+                                }
+                            }
+
+                            ZeroWindowRecords.Add(zwd);
+                        }
+                    }
+
+                    if (ZeroWindowRecords.Count > 0)
+                    {
+                        Program.logMessage("The following conversations with SQL Server " + sqlIP + " on port " + s.sqlPort + " had conversations with a Zero Window record:\r\n");
+                        ReportFormatter rf = new ReportFormatter();
+                        switch (Program.filterFormat)
+                        {
+                            case "N":
+                                {
+                                    rf.SetColumnNames("NETMON Filter (Client conv.):L", "Files:R", "ZW File:R", "ZW Frame:R", "ZW Count:R", "ZW Client:R", "ZW Server:R", "Start Offset:R", "End Offset:R", "End Time:R", "Frames:R", "Duration:R", "End Frames:L");
+                                    break;
+                                }
+                            case "W":
+                                {
+                                    rf.SetColumnNames("WireShark Filter (Client conv.):L", "Files:R", "ZW File:R", "ZW Frame:R", "ZW Count:R", "ZW Client:R", "ZW Server:R", "Start Offset:R", "End Offset:R", "End Time:R", "Frames:R", "Duration:R", "End Frames:L");
+                                    break;
+                                }
+                            default:
+                                {
+                                    rf.SetColumnNames("Client Address:L", "Port:R", "Files:R", "ZW File:R", "ZW Frame:R", "ZW Count:R", "ZW Client:R", "ZW Server:R", "Start Offset:R", "End Offset:R", "End Time:R", "Frames:R", "Duration:R", "End Frames:L");
+                                    break;
+                                }
+                        }
+
+                        var OrderedRows = from row in ZeroWindowRecords orderby row.endOffset ascending select row;
+
+                        foreach (var row in OrderedRows)
+                        {
+                            switch (Program.filterFormat)
+                            {
+                                case "N":  // list client IP and port as a NETMON filter string
+                                    {
+                                        rf.SetcolumnData((row.isIPV6 ? "IPV6" : "IPV4") + ".Address==" + row.clientIP + " and tcp.port==" + row.sourcePort.ToString(),
+                                                         (row.firstFile == row.lastFile) ? row.firstFile.ToString() : row.firstFile + "-" + row.lastFile,
+                                                         row.zwFile.ToString(),
+                                                         row.zwFrame.ToString(),
+                                                         row.zwCount.ToString(),
+                                                         (row.zwFromClient ? "Y" : ""),
+                                                         (row.zwFromServer ? "Y" : ""),
+                                                         (row.startOffset / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         (row.endOffset / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         new DateTime(row.endTicks).ToString(utility.TIME_FORMAT),
+                                                         row.frames.ToString(),
+                                                         (row.duration / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         row.endFrames);
+                                        break;
+                                    }
+                                case "W":  // list client IP and port as a WireShark filter string
+                                    {
+                                        rf.SetcolumnData((row.isIPV6 ? "ipv6" : "ip") + ".addr==" + row.clientIP + " and tcp.port==" + row.sourcePort.ToString(),
+                                                         (row.firstFile == row.lastFile) ? row.firstFile.ToString() : row.firstFile + "-" + row.lastFile,
+                                                         row.zwFile.ToString(),
+                                                         row.zwFrame.ToString(),
+                                                         row.zwCount.ToString(),
+                                                         (row.zwFromClient ? "Y" : ""),
+                                                         (row.zwFromServer ? "Y" : ""),
+                                                         (row.startOffset / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         (row.endOffset / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         new DateTime(row.endTicks).ToString(utility.TIME_FORMAT),
+                                                         row.frames.ToString(),
+                                                         (row.duration / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         row.endFrames);
+                                        break;
+                                    }
+                                default:  // list client IP and port as separate columns
+                                    {
+                                        rf.SetcolumnData(row.clientIP,
+                                                         row.sourcePort.ToString(),
+                                                         (row.firstFile == row.lastFile) ? row.firstFile.ToString() : row.firstFile + "-" + row.lastFile,
+                                                         row.zwFile.ToString(),
+                                                         row.zwFrame.ToString(),
+                                                         row.zwCount.ToString(),
+                                                         (row.zwFromClient ? "Y" : ""),
+                                                         (row.zwFromServer ? "Y" : ""),
+                                                         (row.startOffset / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         (row.endOffset / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         new DateTime(row.endTicks).ToString(utility.TIME_FORMAT),
+                                                         row.frames.ToString(),
+                                                         (row.duration / utility.TICKS_PER_SECOND).ToString("0.000000"),
+                                                         row.endFrames);
+                                        break;
+                                    }
+                            }
+                        }
+
+                        Program.logMessage(rf.GetHeaderText());
+                        Program.logMessage(rf.GetSeparatorText());
+
+                        for (int i = 0; i < rf.GetRowCount(); i++)
+                        {
+                            Program.logMessage(rf.GetDataText(i));
+                        }
+
+                        Program.logMessage();
+
+                        //
+                        // Display graph
+                        //
+
+                        Program.logMessage("    Distribution of Zero-Window conversations.");
+                        Program.logMessage();
+                        g.ProcessData();
+                        Program.logMessage("    " + g.GetLine(0));
+                        Program.logMessage("    " + g.GetLine(1));
+                        Program.logMessage("    " + g.GetLine(2));
+                        Program.logMessage("    " + g.GetLine(3));
+                        Program.logMessage("    " + g.GetLine(4));
+                        Program.logMessage("    " + g.GetLine(5));
+
+                        Program.logMessage();
+                    }
+                }
+            }
+
+            if (hasError == false)
+            {
+                Program.logMessage("No Zero-Window SQL conversations found.");
+                Program.logMessage();
+            }
+        }
+
 
         private static void DisplayPktmonDrops(NetworkTrace Trace)
         {
@@ -3517,7 +3708,7 @@ private static void DisplayFooter()
 
         private static void OutputStats(NetworkTrace Trace)
         {
-            Program.logStat(@"SourceIP,SourcePort,DestIP,DestPort,IPVersion,Protocol,Syn,Fin,Reset,AckSynDelayms,Retransmit,ClientDup,ServerDup,KeepAlive,Integrated Login,NTLM,Login7,Encrypted,Mars,PacketVisualization,Pktmon,MaxPktmonDelay,PktmonDrop,PktmonDropReason,MaxPayloadSize,PayloadSizeLimit,Frames,Bytes,SentBytes,ReceivedBytes,Bytes/Sec,StartFile,EndFile,StartTime,EndTime,Duration,ClientTTL,ClientLowHops,ServerTTL,ServerLowHops,ConnectionID,ServerName,InstOpt,ServerVersion,DatabaseName,ServerTDSVersion,ClientTDSVersion,ServerTLSVersion,ClientTLSVersion,RedirSrv,RedirPort,Error,ErrorState,ErrorMessage,");
+            Program.logStat(@"SourceIP,SourcePort,DestIP,DestPort,IPVersion,Protocol,Syn,Fin,Reset,ZeroWindow,AckSynDelayms,Retransmit,ClientDup,ServerDup,KeepAlive,Integrated Login,NTLM,Login7,Encrypted,Mars,PacketVisualization,Pktmon,MaxPktmonDelay,PktmonDrop,PktmonDropReason,MaxPayloadSize,PayloadSizeLimit,Frames,Bytes,SentBytes,ReceivedBytes,Bytes/Sec,StartFile,EndFile,StartTime,EndTime,Duration,ClientTTL,ClientLowHops,ServerTTL,ServerLowHops,ConnectionID,ServerName,InstOpt,ServerVersion,DatabaseName,ServerTDSVersion,ClientTDSVersion,ServerTLSVersion,ClientTLSVersion,RedirSrv,RedirPort,Error,ErrorState,ErrorMessage,");
 
             long traceFirstTick = 0;
             if (Trace.frames != null && Trace.frames.Count > 0)
@@ -3551,6 +3742,7 @@ private static void OutputStats(NetworkTrace Trace)
                                 c.synCount + "," +
                                 c.finCount + "," +
                                 c.resetCount + "," +
+                                (c.hasClientZeroWindow || c.hasServerZeroWindow ? "Y" : "") + "," +
                                 (c.isUDP || c.ackSynTime == 0 ? "" : ((int)(c.LoginDelay("AS", firstTick) / utility.TICKS_PER_MILLISECOND)).ToString()) + "," +
                                 c.rawRetransmits + "," +
                                 c.duplicateClientPackets + "," +
 
@@ -1492,6 +1492,18 @@ public static void ParseTCPFrame(byte[] b, int offset, NetworkTrace t, FrameData
             f.ackNo = utility.B2UInt32(b, offset + 8);
             f.flags = b[offset + 13];
             f.windowSize = utility.B2UInt16(b, offset + 14);
+            if (f.isZeroWindowPacket)
+            {
+                f.conversation.zeroWindowCount++;
+                if (f.isFromClient)
+                {
+                    f.conversation.hasClientZeroWindow = true;
+                }
+                else
+                {
+                    f.conversation.hasServerZeroWindow = true;
+                }
+            }
             CheckSum = utility.B2UInt16(b, offset + 16);
             if (utility.B2UInt16(b, offset + 18) != 0) canTestChecksum = false;   // we only want to test if the Urgent flag is 0
             if (f.hasSYNFlag)
Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ public bool isKeepAlive`
`103`	`103`	`get`
`104`	`104`	`{`
`105`	`105`	`return ((payloadLength == 1) &&`
`106`		`- (payload[0] == 0) &&`
	`106`	`+ // (payload[0] == 0) && // not true in 100% of cases`
`107`	`107`	`((flags & (byte)TCPFlag.ACK) != 0) &&`
`108`	`108`	`((flags & (byte)(TCPFlag.FIN \| TCPFlag.FIN \| TCPFlag.SYN \| TCPFlag.RESET \| TCPFlag.PUSH)) == 0));`
`109`	`109`	`}`
`@@ -134,10 +134,16 @@ public bool hasRESETFlag`
`134`	`134`	`get { return (flags & (byte)TCPFlag.RESET) != 0; }`
`135`	`135`	`}`
`136`	`136`
	`137`	`+ public bool isZeroWindowPacket`
	`138`	`+ {`
	`139`	`+ get { return hasACKFlag && !hasSYNFlag && !hasFINFlag && !hasRESETFlag && windowSize == 0; }`
	`140`	`+ }`
	`141`	`+`
`137`	`142`	`public string PacketType`
`138`	`143`	`{`
`139`	`144`	`get`
`140`	`145`	`{`
	`146`	`+ if (isZeroWindowPacket) return "ZW";`
`141`	`147`	`if (isKeepAlive) return "KA";`
`142`	`148`	`if (isRetransmit && payloadLength > 1) return "RET";`
`143`	`149`
`@@ -165,7 +171,7 @@ public string PacketType`
`165`	`171`	`case FrameType.SSPI: return "SS";`
`166`	`172`	`case FrameType.TabularResponse: return "DATA";`
`167`	`173`	`case FrameType.XactMgrRequest: return "TX";`
`168`		`- default: return FormatFlags("");`
	`174`	`+ default: return FormatFlags(""); // "" means no dots between flag letters`
`169`	`175`	`}`
`170`	`176`	`}`
`171`	`177`	`}`