-
Notifications
You must be signed in to change notification settings - Fork 43
Normal MARS Closing Connection
Multiple Active ResultSets (MARS) is a feature of SQL Server, introduced with SQL Server 2005, that allows multiple commands to be executed on a connection without having to clean-up the results from the first command before running the second command. This is achieved through session multi-plexing (SMUX).
Packets you can see that indicate the connection is a MARS connection:
SMP:SYN starts a new session SMP:ACK acknowledges data packets SMP:FIN terminates a session
The trace example shows the various packets.
It also shows the closing results in a RESET packet due to a consistent timing issue on the client. This reset is benign.
Frame Time Offset Source IP Dest IP Description
----- ----------- ----------- ----------- ---------------------------------------------------------------------------------------------------
--- Open a new connection
6704 568.0608108 10.10.10.10 10.10.10.22 TCP:Flags=CE....S., SrcPort=52965, DstPort=1433, PayloadLen=0, Seq=661832900, Ack=0, Win=8192 ( Neg
6713 568.0608483 10.10.10.22 10.10.10.10 TCP: [Bad CheckSum]Flags=.E.A..S., SrcPort=1433, DstPort=52965, PayloadLen=0, Seq=492910518, Ack=66
6754 568.0613015 10.10.10.10 10.10.10.22 TCP:Flags=...A...., SrcPort=52965, DstPort=1433, PayloadLen=0, Seq=661832901, Ack=492910519, Win=10
6777 568.0615479 10.10.10.10 10.10.10.22 TDS:Prelogin, Version = 7.4 (0x74000004), SPID = 0, PacketID = 1, Flags=...AP..., SrcPort=52965, Ds
6786 568.0616817 10.10.10.22 10.10.10.10 TDS:Response, Version = 7.4 (0x74000004), SPID = 0, PacketID = 1, Flags=...AP..., SrcPort=1433, Dst
6833 568.0622426 10.10.10.10 10.10.10.22 TLS:TLS Rec Layer-1 HandShake: Client Hello. {TLS:165, SSLVersionSelector:164, TDS:162, TCP:160, IP
6873 568.0627953 10.10.10.22 10.10.10.10 TLS:TLS Rec Layer-1 HandShake: Server Hello. Certificate. Server Key Exchange. Server Hello Done. {
6900 568.0632639 10.10.10.10 10.10.10.22 TCP:Flags=...A...., SrcPort=52965, DstPort=1433, PayloadLen=0, Seq=661833190, Ack=492913584, Win=10
6977 568.0643795 10.10.10.10 10.10.10.22 TLS:TLS Rec Layer-1 HandShake: Client Key Exchange.; TLS Rec Layer-2 Cipher Change Spec; TLS Rec La
7045 568.0655160 10.10.10.22 10.10.10.10 TLS:TLS Rec Layer-1 Cipher Change Spec; TLS Rec Layer-2 HandShake: Encrypted Handshake Message. {TL
7233 568.0679639 10.10.10.10 10.10.10.22 TDS:Data, Version = 7.4 (0x74000004), Reassembled Packet {TDS:162, TCP:160, IPv4:1}
7275 568.0684467 10.10.10.22 10.10.10.10 NLMP:NTLM CHALLENGE MESSAGE {TDS:162, TCP:160, IPv4:1}
7331 568.0692389 10.10.10.10 10.10.10.22 NLMP:NTLM AUTHENTICATE MESSAGE Version:NTLM v2, Domain: CONTOSO, User: joe133, Workstation: JOEWKS
11791 568.1295675 10.10.10.22 10.10.10.10 TCP: [Bad CheckSum]Flags=...A...., SrcPort=1433, DstPort=52965, PayloadLen=0, Seq=492913928, Ack=66
17978 568.2162145 10.10.10.22 10.10.10.10 TDS:Response, Version = 7.4 (0x74000004), SPID = 255, PacketID = 1, Flags=...AP..., SrcPort=1433, D
--- After the connection is established, create a new MARS session (Sid=0)
18024 568.2170301 10.10.10.10 10.10.10.22 SMP:SYN, Sid = 0, Length = 16, SeqNum = 0, Wndw = 4 {SMP:190, TCP:160, IPv4:1}
--- Execute various commands on the session
18028 568.2170301 10.10.10.10 10.10.10.22 TDS:SQLBatch, Version = 7.4 (0x74000004), SPID = 0, PacketID = 1, Flags=...AP..., SrcPort=52965, Ds
18031 568.2170676 10.10.10.22 10.10.10.10 TCP: [Bad CheckSum]Flags=...A...., SrcPort=1433, DstPort=52965, PayloadLen=0, Seq=492914329, Ack=66
18038 568.2173641 10.10.10.22 10.10.10.10 TDS:Response, Version = 7.4 (0x74000004), SPID = 255, PacketID = 1, Flags=...AP..., SrcPort=1433, D
18079 568.2178650 10.10.10.10 10.10.10.22 TDS:SQLBatch, Version = 7.4 (0x74000004), SPID = 0, PacketID = 1, Flags=...AP..., SrcPort=52965, Ds
...
--- Example of the SMP:ACK packet
40874 568.5121135 10.10.10.22 10.10.10.10 TDS:Response, Version = 7.4 (0x74000004), SPID = 255, PacketID = 1, Flags=...AP..., SrcPort=1433, D
40876 568.5121237 10.10.10.22 10.10.10.10 TDS:Continuous Response, Version = 7.4 (0x74000004), SPID = 255, PacketID = 2, Flags=...AP..., SrcP
40911 568.5124644 10.10.10.10 10.10.10.22 SMP:ACK, Sid = 0, Length = 16, SeqNum = 34, Wndw = 40 {SMP:190, TCP:160, IPv4:1}
40950 568.5128422 10.10.10.22 10.10.10.10 TDS:Continuous Response, Version = 7.4 (0x74000004), SPID = 255, PacketID = 3, Flags=...AP..., SrcP
...
Example of the SMP:FIN packet
93665 569.9165034 10.10.10.22 10.10.10.10 TDS:Response, Version = 7.4 (0x74000004), SPID = 255, PacketID = 1, Flags=...AP..., SrcPort=1433, D
93689 569.9170056 10.10.10.10 10.10.10.22 SMP:FIN, Sid = 0, Length = 16, SeqNum = 559, Wndw = 614 {SMP:190, TCP:160, IPv4:1}
93691 569.9170640 10.10.10.22 10.10.10.10 SMP:FIN, Sid = 0, Length = 16, SeqNum = 610, Wndw = 563 {SMP:190, TCP:160, IPv4:1}
93692 569.9173178 10.10.10.10 10.10.10.22 TCP:Flags=...A...F, SrcPort=52965, DstPort=1433, PayloadLen=0, Seq=661892741, Ack=493774858, Win=10
93704 569.9173178 10.10.10.10 10.10.10.22 TCP:Flags=...A.R.., SrcPort=52965, DstPort=1433, PayloadLen=0, Seq=661892742, Ack=493774874, Win=0
The trace example above was taken on the server. In the connection close, you can see the SMP:FIN packet from the client closing the MARS session and the server sends its corresponding SMP:FIN packet. Then you see the ACK+FIN from the client followed immediately by a RESET packet. This only makes sense by looking at what the client sees.
On the client side, the packets appear in a different order, giving rise to the RESET packet:
12345 569.9165034 10.10.10.22 10.10.10.10 TDS:Response, Version = 7.4 (0x74000004), SPID = 255, PacketID = 1, Flags=...AP..., SrcPort=1433, D
12346 569.9170056 10.10.10.10 10.10.10.22 SMP:FIN, Sid = 0, Length = 16, SeqNum = 559, Wndw = 614 {SMP:190, TCP:160, IPv4:1}
12352 569.9173178 10.10.10.10 10.10.10.22 TCP:Flags=...A...F, SrcPort=52965, DstPort=1433, PayloadLen=0, Seq=661892741, Ack=493774858, Win=10
12361 569.9170640 10.10.10.22 10.10.10.10 SMP:FIN, Sid = 0, Length = 16, SeqNum = 610, Wndw = 563 {SMP:190, TCP:160, IPv4:1}
12374 569.9173178 10.10.10.10 10.10.10.22 TCP:Flags=...A.R.., SrcPort=52965, DstPort=1433, PayloadLen=0, Seq=661892742, Ack=493774874, Win=0
The client sends the SMP:FIN followed immediately by the ACK+FIN. The next packet should be an ACK and the server's ACK+FIN packet per TCP rules, but we get the server's SMP:FIN instead. This is what results in the RESET due to the the TCP layer not expecting what it considers to be a data packet arriving after the close sequence has been initiated. Occasionally, you may also see the server's ACK+FIN packet, but that gets reset, as well.
This is a benign closure.