469,645 Members | 1,559 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,645 developers. It's quick & easy.

How find user is sending a packet every .02 sec to MS SQL?

I have 2 users that their client software must be going crazy.. they
are sending packets every .02 seconds to the db server... I know this
because I stuck a sniffer on teh traffic.. but now i just need to know
what user is doing this (all traffic is encrypted.. so i couldn’t
sniff out that.. i could only get an IP).

any ideas?

--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/General-Disc...ict232446.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbforumz.com/eform.php?p=805276
Jul 23 '05 #1
8 1800
You can open Enterprise Manager and check Current Activity. Match the
IP address to the hostname or ID. If that doesn't give you good
information then you can run "nbtstat -an IPADDRESS" at a command
prompt and maybe get lucky.

Jul 23 '05 #2

"pigeon" <Us************@dbForumz.com> wrote in message
news:4_***************************************@dbf orumz.com...
I have 2 users that their client software must be going crazy.. they
are sending packets every .02 seconds to the db server... I know this
because I stuck a sniffer on teh traffic.. but now i just need to know
what user is doing this (all traffic is encrypted.. so i couldn't
sniff out that.. i could only get an IP).

any ideas?

--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL:
http://www.dbforumz.com/General-Disc...ict232446.html
Visit Topic URL to contact author (reg. req'd). Report abuse:
http://www.dbforumz.com/eform.php?p=805276

If you already have an IP address, then you should be able to find the PC by
checking for its DHCP lease or DNS entry.

Simon
Jul 23 '05 #3
One thing you can do to help with your task:

In your SQL EM check the Current Connections and search for the IP
address. When you find the IP address you will also have the SPID, this
can show you the T-SQL statement being run.

Also if you know the IP address, you can find out the computer name.
You find out the computer name, you can find out the user(s) using those
computers.
"pigeon" <Us************@dbForumz.com> wrote in message
news:4_***************************************@dbf orumz.com...
I have 2 users that their client software must be going crazy.. they
are sending packets every .02 seconds to the db server... I know this
because I stuck a sniffer on teh traffic.. but now i just need to know
what user is doing this (all traffic is encrypted.. so i couldn't
sniff out that.. i could only get an IP).

any ideas?

--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/General-Disc...ict232446.html Visit Topic URL to contact author (reg. req'd). Report abuse:

http://www.dbforumz.com/eform.php?p=805276

Jul 23 '05 #4
"serge" wrote:
One thing you can do to help with your task:

In your SQL EM check the Current Connections and search for
the IP
address. When you find the IP address you will also have the
SPID, this
can show you the T-SQL statement being run.

Also if you know the IP address, you can find out the computer
name.
You find out the computer name, you can find out the user(s)
using those
computers.
"pigeon" <Us************@dbForumz.com> wrote in message
news:4_***************************************@dbf orumz.com...
I have 2 users that their client software must be going

crazy.. they
are sending packets every .02 seconds to the db server... I

know this
because I stuck a sniffer on teh traffic.. but now i just

need to know
what user is doing this (all traffic is encrypted.. so i

couldn't
sniff out that.. i could only get an IP).

any ideas?

--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet

standards
Topic URL:

http://www.dbforumz.com/General-Disc...ict232446.html
Visit Topic URL to contact author (reg. req'd). Report

abuse:
http://www.dbforumz.com/eform.php?p=805276


Well.. they are logging in over the internet.. So even if i know the
computer name, it will not help me that much (since there are hundreds
and hundreds of people logging in all the time).

Also, will the user be listed in active connections evey though his
login fails? or if he logs in and logs out very quickly? I believe his
software islogging in and out very quickly (many many many times a
second).
What do you’ll think?

thanks!
Lee
Jul 23 '05 #5
I am not a security expert so you'll still have to search more on this
topic. What I would do is turn on SQL Server auditing for Failure.
Do properties on your SQL server in SQL EM, Security tab, Audit Level.

If you say there are 2 users but don't know the users. Do you mean
you have 2 IPs that keep hitting your SQL server every .02 second?
Those IPs, why don't you have them blocked if you don't know if
they are valid IPs or someone trying to attack your SQL Server
or like you say some software is hitting your SQL server non-stop?

Can you run SQL Profiler and see if you can see what is being run
by those two "users" every .02 seconds?

Well.. they are logging in over the internet.. So even if i know the
computer name, it will not help me that much (since there are hundreds
and hundreds of people logging in all the time).

Also, will the user be listed in active connections evey though his
login fails? or if he logs in and logs out very quickly? I believe his
software islogging in and out very quickly (many many many times a
second).
What do you'll think?


Jul 23 '05 #6
"serge" wrote:
I am not a security expert so you’ll still have to search more
on this
topic. What I would do is turn on SQL Server auditing for Failure.
Do properties on your SQL server in SQL EM, Security tab, Audit Level.
If you say there are 2 users but don’t know the users. Do you
mean
you have 2 IPs that keep hitting your SQL server every .02 second?
Those IPs, why don’t you have them blocked if you don’t
know if
they are valid IPs or someone trying to attack your SQL Server
or like you say some software is hitting your SQL server non-stop?

Can you run SQL Profiler and see if you can see what is being run
by those two "users" every .02 seconds?

Well.. they are logging in over the internet.. So even if i know

the
computer name, it will not help me that much (since there are

hundreds
and hundreds of people logging in all the time).

Also, will the user be listed in active connections evey though

his
login fails? or if he logs in and logs out very quickly? I

believe his
software islogging in and out very quickly (many many many times

a
second).
What do you’ll think?</font>


Well.. I found their hostname (server) through profiler.. And i see
they are trying to login to ’sa’ account.. but i wouldn’t think
trying to login (every 5seconds or so) would result in me getting
packets from that IP every .02 seconds...
What can I do after this? I guess i could block their ip via my cisco
PIX firwall.. but is there anyway to automatically block a user that
tries to login to ’sa’? From what I have read, SQL doesn’t have a
feature to block users based on their ip
thanks for any suggestions!

--
Posted using the http://www.dbforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.dbforumz.com/General-Disc...ict232446.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.dbforumz.com/eform.php?p=810667
Jul 23 '05 #7
pigeon (Us************@dbForumz.com) writes:
What can I do after this? I guess i could block their ip via my cisco
PIX firwall.. but is there anyway to automatically block a user that
tries to login to 'sa'? From what I have read, SQL doesn't have a
feature to block users based on their ip


Well, as far as SQL Server is concerned, that user is 'sa', so you
better make use of that firewall.

And be very glad that this was no serious attempt to brute-force
attack. In that case, the intruder would probably have cracked your
sa password by now.
--
Erland Sommarskog, SQL Server MVP, es****@sommarskog.se

Books Online for SQL Server SP3 at
http://www.microsoft.com/sql/techinf...2000/books.asp
Jul 23 '05 #8
> Well.. I found their hostname (server) through profiler.. And i see
they are trying to login to 'sa' account.. but i wouldn't think
trying to login (every 5seconds or so) would result in me getting
packets from that IP every .02 seconds... What can I do after this? I guess i could block their ip via my cisco
PIX firwall.. but is there anyway to automatically block a user that
tries to login to 'sa'? From what I have read, SQL doesn't have a
feature to block users based on their ip


Why do you have your SQL Server open to the Internet in the
first place? The application being used is what? If you have an
IIS Server hosting the application then you could simply have
your SQL Server port 1423 blocked.

Jul 23 '05 #9

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

1 post views Thread by coder_1024 | last post: by
12 posts views Thread by johnny.karlsson | last post: by
7 posts views Thread by D. Patrick | last post: by
reply views Thread by cornish.julia | last post: by
1 post views Thread by Rich | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.