Wireshark-users: [Wireshark-users] MySQL packets showing "unknown/invalid protocol"
Hi,
I am using Wireshark to try to analyze some MySQL database traffic on a
remote network behind a firewall. I have used tcpdump to get a file
which I then open in Wireshark for analysis.
I'm using Wireshark 0.99.4 (downloaded and installed yesterday) and
MySQL 5.0.24.
In the request packets from the client, I can drill down to MySQL
Protocol > Command and see, for example, "SELECT * FROM foo". In the
response packets, however, no data is displayed - I've pasted an example
below.
Is the MySQL protocol ... plugin, I guess ... unfinished? Did MySQL
change their API in version 5? I haven't tried installing a 4.x version
locally and sniffing that traffic. Might I have used some tcpdump flag
that's changing my data enough that Wireshark doesn't understand it?
I have searched all the wireshark docs I can find, and googled
unsuccessfully for "wireshark mysql" and variations. Any ideas on this,
or suggestions for further research are much appreciated.
Thanks,
Rachel
response packet example:
========================
MySQL Protocol
Packet Length: 1
Packet Number: 1
Payload: unknown/invalid response
MySQL Protocol
Packet Length: 63
Packet Number: 2
Payload: unknown/invalid response
MySQL Protocol
Packet Length: 73
Packet Number: 3
Payload: unknown/invalid response
MySQL Protocol
Packet Length: 69
Packet Number: 4
Payload: unknown/invalid response
...
MySQL Protocol
Packet Length: 5
Packet Number: 13
EOF marker (254)
Warnings: 0
Server Status: 0x0002
.... .... .... ...0 = In transaction: Not set
.... .... .... ..1. = AUTO_COMMIT: Set
.... .... .... .0.. = More results: Not set
.... .... .... 0... = Multi query - more resultsets: Not set
.... .... ...0 .... = Bad index used: Not set
.... .... ..0. .... = No index used: Not set
.... .... .0.. .... = Cursor exists: Not set
.... .... 0... .... = Last row sebd: Not set
.... ...0 .... .... = database dropped: Not set
.... ..0. .... .... = No backslash escapes: Not set
