Skip to content

Network Patterns

Malcolm Stewart edited this page Mar 9, 2022 · 16 revisions

Network Patterns

This section contains a number of networking scenarios that you can cross-check with your own traces.

Note: IP addresses and machine names have been obfuscated into the 10.xxx.xxx.xxx, 172.[16-31].xxx.xxx, or 192.168.xxx.xxx range with generic names, such as SQLPROD01.CONTOSO.COM.
Note: Traces shown are parsed using NETMON 3.4.

Enable NETMON 3.4 to Parse SQL Servers on Ports other than 1433

In many cases, SQL Server is not listening on port 1433. Since there is no special code in TCP to indicate the sub-protocol type, the parser is hard-coded to interpret traffic on port 1433 as SQL Server traffic.

Change NETMON Parser Port for SQL Server

Normal Traces and Fragments

Normal Login Using SQL Authentication
Normal Login Using a Domain Account and NTLM Authentication
Normal Login Using a Domain Account and Kerberos Authentication

Idle Connection with Keep-Alive Packets

Normal Closing Connection
Normal MARS Closing Connection

Capture Problems

All Packets Duplicated
Packets in One Direction

Abnormal Traces

Connection Dropped in both Directions
Connection Dropped in one Direction
Connection Dropped in one Direction - One-Sided Trace
Network Device Reset Connection
Logon Timeout Due to Slow Domain Controller
Server has a Connection Backlog
VPN Delays Packets Causing Connection to Reset

Other Failures

Certificate Validation Failure

Clone this wiki locally