Merge pull request #15 from microsoft/20210819_LinkLayer7

20210819 link layer7

Author: Malcolm-Stewart

.gitignore

@@ -5,3 +5,4 @@
 **/bin
 **/obj
 **/publish
+**/.vs

SQLCheck/.vs/SQLCheck/v15/Server/sqlite3/storage.ide-shm

@@ -64,7 +64,8 @@ public class ConversationData              //               - constructed in Get
         public uint threadID = 0;                   //   - set in GetClientPreloginInfo
         // Conversation statistics
         public int tdsFrames = 0;       //               - set in ProcessTDS
-        public ulong totalBytes = 0;    //               - set in ParseEthernetFrame
+        public ulong totalBytes = 0;    //               - set in ParseTCPFrame
+        public ulong totalPayloadBytes = 0;         //   - set in ParseTCPFrame
         public long startTick = 0;      //               - set in ParseEthernetFrame
         public long endTick = 0;        //               - set in ParseEthernetFrame
         public int ackCount = 0;        //               - accumulated in ParseTCPFrame - can be in combination with other flags
@@ -84,9 +85,11 @@ public class ConversationData              //               - constructed in Get
         public uint sourceFrames = 0;   //               - accumulated in ParseEthernetFrame
         public uint destFrames = 0;     //               - accumulated in ParseEthernetFrame
         public uint keepAliveCount = 0; //               - accumulated in ParseTCPFrame
-        public ushort maxKeepAliveRetransmits = 0; //    - accoumulated in FindKeepAliveRetransmits
-        public uint truncatedFrameLength = 0; //         
-        public uint truncationErrorCount = 0; //         
+        public ushort maxKeepAliveRetransmits = 0;  //   - accoumulated in FindKeepAliveRetransmits
+        public uint truncatedFrameLength = 0;       //         
+        public uint truncationErrorCount = 0;       //         
+        public int maxPayloadSize = 0;              //   - accumulated in ParseTCPFrame
+        public bool maxPayloadLimit = false;        //   - accumulated in ParseTCPFrame
         public long synTime = 0;                    //
         public long ackSynTime = 0;                 //
         public long PreLoginTime = 0;               //   - set in TDS Parser - so we can time the PreLogin packet delay

SQL_Network_Analyzer/.vs/SQLNetworkAnalyzer/v15/.suo

@@ -33,6 +33,7 @@ public static void TextReport(NetworkTrace Trace)
             DisplayAttentions(Trace);
             DisplayTLSIssues(Trace);
             DisplayRedirectedConnections(Trace);
+            DisplayMTUReport(Trace);
             DisplayClientPortUsage(Trace);
             DisplaySSRPReport(Trace);
             DisplayKerberosResponseReport(Trace);
@@ -79,6 +80,7 @@ private static void DisplayFileStatistics(NetworkTrace Trace)
         private static void DisplayTrafficStatistics(NetworkTrace Trace)
         {
             ulong tcpBytes = 0, tdsBytes = 0;
+            ulong tcpPayloadBytes = 0, tdsPayloadBytes = 0;
             int tcpConversations = 0, tdsConversations = 0;
             int tcpFrames = 0, tdsFrames = 0;
 
@@ -87,22 +89,24 @@ private static void DisplayTrafficStatistics(NetworkTrace Trace)
                 if (c.isUDP == false)
                 {
                     tcpBytes += c.totalBytes;
+                    tcpPayloadBytes += c.totalPayloadBytes;
                     tcpFrames += c.frames.Count;
                     tcpConversations++;
                     if (c.isSQL)
                     {
                         tdsBytes += c.totalBytes;
+                        tdsPayloadBytes += c.totalPayloadBytes;
                         tdsFrames += c.frames.Count;
                         tdsConversations++;
                     }
                 }
             }
 
             ReportFormatter rf = new ReportFormatter();
-            rf.SetColumnNames("Statistic:L", "Bytes:R", "Frames:R", "Conversations:R");
+            rf.SetColumnNames("Statistic:L", "Packet Bytes:R", "Payload Bytes:R", "Frames:R", "Conversations:R");
             rf.indent = 4;
-            rf.SetcolumnData("TCP Traffic", tcpBytes.ToString("#,##0"), tcpFrames.ToString("#,##0"), tcpConversations.ToString("#,##0"));
-            rf.SetcolumnData("SQL Traffic", tdsBytes.ToString("#,##0"), tdsFrames.ToString("#,##0"), tdsConversations.ToString("#,##0"));
+            rf.SetcolumnData("TCP Traffic", tcpBytes.ToString("#,##0"), tcpPayloadBytes.ToString("#,##0"), tcpFrames.ToString("#,##0"), tcpConversations.ToString("#,##0"));
+            rf.SetcolumnData("SQL Traffic", tdsBytes.ToString("#,##0"), tdsPayloadBytes.ToString("#,##0"), tdsFrames.ToString("#,##0"), tdsConversations.ToString("#,##0"));
 
             Program.logMessage(rf.GetHeaderText());
             Program.logMessage(rf.GetSeparatorText());
@@ -1646,10 +1650,8 @@ private static void DisplayNamedPipesReport(NetworkTrace Trace)
                 }
             }
 
-            Program.logMessage("The following Named Pipes conversations were detected in the network trace:\r\n");
             ReportFormatter rf = new ReportFormatter();
 
-
             // "Client Address:L", "Port:R", "Files:R", "Last Frame:R", "Start Offset:R", "End Offset:R", "End Time:R", "Frames:R", "Duration:R", "Login Progress:L", "Keep-Alives:R", "Retransmits:R", "NullCreds:R", "DHE:R", "LoginAck:L", "Error:L");
             switch (Program.filterFormat)
             {
@@ -1713,18 +1715,20 @@ private static void DisplayNamedPipesReport(NetworkTrace Trace)
                 }
             }
 
-            Program.logMessage(rf.GetHeaderText());
-            Program.logMessage(rf.GetSeparatorText());
-
-            for (int i = 0; i < rf.GetRowCount(); i++)
+            if (PipeRecords.Count != 0)
             {
-                Program.logMessage(rf.GetDataText(i));
-            }
-
-            Program.logMessage();
+                Program.logMessage("The following Named Pipes conversations were detected in the network trace:\r\n");
+                Program.logMessage(rf.GetHeaderText());
+                Program.logMessage(rf.GetSeparatorText());
 
+                for (int i = 0; i < rf.GetRowCount(); i++)
+                {
+                    Program.logMessage(rf.GetDataText(i));
+                }
 
-            if (PipeRecords.Count == 0)
+                Program.logMessage();
+            }
+            else
             {
                 Program.logMessage("No Named Pipes conversations found.");
                 Program.logMessage();
@@ -2203,6 +2207,42 @@ private static void DisplayClientPortUsage(NetworkTrace Trace)
             Program.logMessage();
         }
 
+        private static void DisplayMTUReport(NetworkTrace Trace)
+        {
+            ArrayList MTUSizes = new ArrayList();
+            int maxPayloadSize = 0;
+
+            // gather unique max payload sizes
+            foreach (ConversationData c in Trace.conversations)
+            {
+                if (c.maxPayloadSize > maxPayloadSize) maxPayloadSize = c.maxPayloadSize;
+                if (c.maxPayloadLimit && MTUSizes.IndexOf(c.maxPayloadSize) < 0) MTUSizes.Add(c.maxPayloadSize);
+            }
+
+            Program.logMessage($"The maximum payload size observed was {maxPayloadSize}.");
+
+            // how many did we find?
+            if (MTUSizes.Count == 1)
+            {
+                Program.logMessage($"The MTU maximum payload size observed was {(int)MTUSizes[0]}.");
+            }
+            else if (MTUSizes.Count > 0)
+            {
+                string rowList = "";
+                var OrderedRows = from row in MTUSizes.ToArray() orderby (int)row ascending select row;
+                foreach (var row in OrderedRows) rowList += ", " + row.ToString();
+                rowList = rowList.Substring(2);  // get rid of leading ", "
+                Program.logMessage($"Multiple MTU maximum payload sizes were observed: {rowList}");
+                
+            }
+            else
+            {
+                Program.logMessage("MTU maximum payload size was not determined.");
+            }
+
+            Program.logMessage();
+        }
+
         private static void DisplayRedirectedConnections(NetworkTrace Trace)
         {
             //
@@ -2387,7 +2427,7 @@ private static void DisplayFooter()
 
         private static void OutputStats(NetworkTrace Trace)
         {
-            Program.logStat(@"SourceIP,SourcePort,DestIP,DestPort,IPVersion,Protocol,Syn,Fin,Reset,Retransmit,KeepAlive,Integrated Login,NTLM,Login7,Encrypted,Mars,Frames,Bytes,SentBytes,ReceivedBytes,Bytes/Sec,StartFile,EndFile,StartTime,EndTime,Duration,ServerName,ServerVersion,DatabaseName,ServerTDSVersion,ClientTDSVersion,ServerTLSVersion,ClientTLSVersion,RedirSrv,RedirPort,Error,ErrorState,ErrorMessage,");
+            Program.logStat(@"SourceIP,SourcePort,DestIP,DestPort,IPVersion,Protocol,Syn,Fin,Reset,Retransmit,KeepAlive,Integrated Login,NTLM,Login7,Encrypted,Mars,MaxPayloadSize,PayloadSizeLimit,Frames,Bytes,SentBytes,ReceivedBytes,Bytes/Sec,StartFile,EndFile,StartTime,EndTime,Duration,ServerName,ServerVersion,DatabaseName,ServerTDSVersion,ClientTDSVersion,ServerTLSVersion,ClientTLSVersion,RedirSrv,RedirPort,Error,ErrorState,ErrorMessage,");
             foreach (ConversationData c in Trace.conversations)
             {
                 int firstFile = Trace.files.IndexOf(((FrameData)(c.frames[0])).file);
@@ -2421,6 +2461,8 @@ private static void OutputStats(NetworkTrace Trace)
                                 (c.hasLogin7 ? "Y" : "") + "," +
                                 (c.isEncrypted ? "Y" : "") + "," +
                                 (c.isSQL && (c.isMARSEnabled || (c.smpAckCount + c.smpSynCount + c.smpFinCount + c.smpDataCount) > 0) ? "Y" : "") + "," +
+                                c.maxPayloadSize + "," +
+                                (c.maxPayloadLimit ? "Y": "") + "," +
                                 c.frames.Count + "," +
                                 c.totalBytes + "," +
                                 "," +   // do not have a separate counter for sent bytes      TODO ? do we really need it?