Wireshark-users: Re: [Wireshark-users] MySQL packets showing "unknown/invalid protocol"

From: Jaap Keuter <jaap.keuter@xxxxxxxxx>
Date: Tue, 14 Nov 2006 23:01:18 +0100 (CET)
HI,

>From the sourcecode:
* MySQL 4.1+ protocol

So it looks like the protocol changed.

Thanx,
Jaap

On Tue, 14 Nov 2006, Rachel McConnell wrote:

> Hi,
>
> I am using Wireshark to try to analyze some MySQL database traffic on a
> remote network behind a firewall.  I have used tcpdump to get a file
> which I then open in Wireshark for analysis.
>
> I'm using Wireshark 0.99.4 (downloaded and installed yesterday) and
> MySQL 5.0.24.
>
> In the request packets from the client, I can drill down to MySQL
> Protocol > Command and see, for example, "SELECT * FROM foo".  In the
> response packets, however, no data is displayed - I've pasted an example
> below.
>
> Is the MySQL protocol ... plugin, I guess ... unfinished?  Did MySQL
> change their API in version 5?  I haven't tried installing a 4.x version
> locally and sniffing that traffic.  Might I have used some tcpdump flag
> that's changing my data enough that Wireshark doesn't understand it?
>
> I have searched all the wireshark docs I can find, and googled
> unsuccessfully for "wireshark mysql" and variations.  Any ideas on this,
> or suggestions for further research are much appreciated.
>
> Thanks,
> Rachel
>
> response packet example:
> ========================
>
> MySQL Protocol
>    Packet Length: 1
>    Packet Number: 1
>    Payload: unknown/invalid response
>
> MySQL Protocol
>    Packet Length: 63
>    Packet Number: 2
>    Payload: unknown/invalid response
>
> MySQL Protocol
>    Packet Length: 73
>    Packet Number: 3
>    Payload: unknown/invalid response
>
> MySQL Protocol
>    Packet Length: 69
>    Packet Number: 4
>    Payload: unknown/invalid response
>
> ...
>
> MySQL Protocol
>    Packet Length: 5
>    Packet Number: 13
>    EOF marker (254)
>    Warnings: 0
>    Server Status: 0x0002
>      .... .... .... ...0 = In transaction: Not set
>      .... .... .... ..1. = AUTO_COMMIT: Set
>      .... .... .... .0.. = More results: Not set
>      .... .... .... 0... = Multi query - more resultsets: Not set
>      .... .... ...0 .... = Bad index used: Not set
>      .... .... ..0. .... = No index used: Not set
>      .... .... .0.. .... = Cursor exists: Not set
>      .... .... 0... .... = Last row sebd: Not set
>      .... ...0 .... .... = database dropped: Not set
>      .... ..0. .... .... = No backslash escapes: Not set
>
>
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>