search

mcr / tcpdump

the TCPdump network dissector. now moved to:
https://github.com/the-tcpdump-group/tcpdump
Other
84 stars 2 forks source link

Steal code from mysqlsniffer (http://hackmysql.com/mysqlsniffer) for special parsing of MySQL packets. #34

Closed msabramo closed 11 years ago

msabramo commented 11 years ago

Steal code from mysqlsniffer for special parsing of MySQL packets.

This addresses #31.

Results of running tests...

~/dev/git-repos/tcpdump$ make check
(cd tests && ./TESTrun.sh)
reading from file lmp.pcap, link-type EN10MB (Ethernet)
lmp.sh: passed.
reading from file print-flags.pcap, link-type EN10MB (Ethernet)
reading from file print-flags.pcap, link-type EN10MB (Ethernet)
reading from file print-flags.pcap, link-type EN10MB (Ethernet)
reading from file print-flags.pcap, link-type EN10MB (Ethernet)
reading from file print-flags.pcap, link-type EN10MB (Ethernet)
reading from file print-flags.pcap, link-type EN10MB (Ethernet)
print-flags.sh: passed.
    bgp_vpn_attrset: passed.
    eapon1: passed.
    esp0: passed.
    esp1: passed.
    esp2: passed.
    esp3: passed.
    esp4: passed.
    esp5: passed.
    espudp1: passed.
    isakmp1: passed.
    isakmp2: passed.
    isakmp3: passed.
    isakmp4: passed.
    mpls-ldp-hello: passed.
    ospf-gmpls: passed.
    ikev2four: passed.
    ikev2fourv: passed.
    ikev2fourv4: passed.
    ikev2pI2: passed.
    dio01: passed.
    e1000g: passed.
    forces01: passed.
    forces01vvv: passed.
    forces01vvvv: passed.
    qinq: passed.
    qinqv: passed.
    sflow1: passed.
    babel1: passed.
    babel1v: passed.
    babel_auth: passed.
    pppoe: passed.
    icmpv6: passed.
    spb: passed.
    ripv1v2: passed.
    ripv2_auth: passed.

   0 tests failed
  37 tests passed

Here's the sample output I get from doing a query SELECT * FROM people which returns 1 row with my first and last name from a people table in a database called scratch_db:

~/dev/git-repos/tcpdump$ sudo ./tcpdump -vv -i lo0 port 3306
tcpdump: listening on lo0, link-type NULL (BSD loopback), capture size 65535 bytes
14:56:23.102466 IP (tos 0x8, ttl 64, id 31372, offset 0, flags [DF], proto TCP (6), length 77, bad cksum 0 (->c214)!)
    localhost.64434 > localhost.mysql: Flags [P.], cksum 0xfe41 (incorrect -> 0x97f7), seq 2776885912:2776885937, ack 824077453, win 40830, options [nop,nop,TS val 1983598529 ecr 1983495289], length 25ID 0 len 21 COM_QUERY: SELECT * FROM people

14:56:23.102501 IP (tos 0x8, ttl 64, id 28631, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->cce2)!)
    localhost.mysql > localhost.64434: Flags [.], cksum 0xfe28 (incorrect -> 0xb643), seq 1, ack 25, win 65535, options [nop,nop,TS val 1983598529 ecr 1983598529], length 0
14:56:23.102689 IP (tos 0x8, ttl 64, id 2039, offset 0, flags [DF], proto TCP (6), length 229, bad cksum 0 (->3412)!)
    localhost.mysql > localhost.64434: Flags [P.], cksum 0xfed9 (incorrect -> 0xd2a6), seq 1:178, ack 25, win 65535, options [nop,nop,TS val 1983598529 ecr 1983598529], length 177ID 1 len 1 ::Unhandled Event:: ::Unhandled Event:: Client pkt has no valid handler ::DUMP:: 02 ::DUMP::
    ID 2 len 64 COM_QUERY: def
scratch_dbpeoplepeople
first_name
first_name
          !
    ID 3 len 62 COM_QUERY: def
scratch_dbpeoplepeople  last_name   last_name
                                                 !
    ID 4 len 5 End <warnings 0> 
    ID 5 len 16 COM_FIELD_LIST: Marc
Abramowitz
    ID 6 len 5 End <warnings 0> 

14:56:23.102713 IP (tos 0x8, ttl 64, id 9207, offset 0, flags [DF], proto TCP (6), length 52, bad cksum 0 (->18c3)!)
    localhost.64434 > localhost.mysql: Flags [.], cksum 0xfe28 (incorrect -> 0x166d), seq 25, ack 178, win 40741, options [nop,nop,TS val 1983598529 ecr 1983598529], length 0
mcr commented 11 years ago

I have some concerns about the licensing on this code. Is it BSD compatible? I also need to be convinced that this code doesn't blow up if the tcp segments are short (because of -s 68, or because they are segmented different, or IP fragmented). So, some test cases are in order. Meanwhile, I've pulled them into mysql branch.

msabramo commented 11 years ago

Hi Michael,

Those are valid concerns and I'll try in the long-term to get the mysqlsniffer author's licensing terms and some tests in place.

I noticed that you said you'd pull into the "mysql" branch, but it looks like you pulled it into the "master" branch? Was that a mistake?