Shulou(Shulou.com)06/02 Report--

This article mainly introduces "how to analyze the tcpdump content of the Mysql connection request". In the daily operation, I believe that many people have doubts about how to analyze the tcpdump content of the Mysql connection request. The editor consulted all kinds of materials and sorted out a simple and useful method of operation. I hope it will be helpful for everyone to answer the question of "how to analyze the tcpdump content of the Mysql connection request"! Next, please follow the editor to study!

Tcpdump is to intercept TCP/IP and other data packets in network connections sent and received. Usually in our WEB development, we often encounter network abnormal information such as read time out/connect reset in the process of providing http services or calling http services. Through tcpdump tools to help us analyze three-time handshake or four-wave data packets, it can easily help us to analyze the problems in which step of the network.

Next, we analyze the connection request of Mysql to understand the request process of the network and the specific content of the protocol.

0x0000: 4500 0039 3881 4000 4006 7fcf c0a8 00d7

0x0010: c0a8 0047 a034 0cea 860b e11e c2fc 7f64

0x0020: 8018 296a 2b0e 0000 0101 080a 2de4 786b

0x0030: 3a4f 5980 0100 0000 0e

Such a message usually consists of three parts.

1. IP header

2. TCP protocol

3. Mysql protocol

Line-by-line analysis is as follows

4500 0039 3881 4000 4006 7fcf c0a8 00d7

45-4 is Version 5 is Header Length, so the length of the protocol header is 5 bytes

We read out the next 5 bytes 00 0039 3881

00 Type Of Service identification priority delay requirements throughput information, etc.

The decimal result of 0039 Total Length conversion is 57, which is consistent with the number of bytes of the result we got.

3881 Identification of the IP header

4000-for IP Flags and Fragment Offset

000 IP Flags

0 0100 0000 0000 Fragment: offset from 0 original header

4006-40 for TTL one protocol access lifetime 06 represents TCP protocol

7fcf-Header Checksum first check for errors

C0a8 00d7-Source host IP address field c0 (192) a8 (168) 00 (0) d7 (215)

C0a8 0047 a034 0cea 860b e11e c2fc 7f64

C0a8 0047-represents the IP address of the target host (this ends with the IP protocol part, which happens to be 20 bytes, and then goes into the TCP part parsing)

A034-Source port number conversion decimal 41012

0cea-destination port conversion decimal 3306

860b e11e-serial number 2248925470

C2fc 7f64-confirmation number 3271327588

8018 296a 2b0e 0000 0101 080a 2de4 786b

80-8 indicates that offset Offset 0 is reserved bit

The legendary state of 18-tcp 1 Ack 8 means PUSH, which is probably the first line [P.] The origin of the

296a-size of sliding window 10602

Checksum of the 2b0e-TCP part

0000-Emergency pointer to the TCP section

To the Options section

0101-NOP filling error has no practical significance

080a-indicates that timestamp is enabled

2de4 786b-the value of the corresponding specific timestamp 769947755

3a4f 5980 0100 0000 0e

3a4f 5980-also part of the ecr value of the timestamp

0100 00-indicates that the specific content length is 1 byte

00-indicates that seqid is incremented

0e-test connectivity on behalf of mysql by querying COM_PING semantics

The following lists all the mysql semantics represented by hexadecimal numbers in the client request section. Different semantics require different transformations to get the desired content, so there are no more examples here.

0x00 COM_SLEEP (internal thread state)

0x01 COM_QUIT closes the connection

0x02 COM_INIT_DB switch database

0x03 COM_QUERY SQL query request

0x04 COM_FIELD_LIST gets datasheet field information

0x05 COM_CREATE_DB creates a database

0x06 COM_DROP_DB deletes the database

0x07 COM_REFRESH clears the cache

0x08 COM_SHUTDOWN stops the server

0x09 COM_STATISTICS gets server statistics

0x0A COM_PROCESS_INFO gets the list of current connections

0x0B COM_CONNECT (internal thread state)

0x0C COM_PROCESS_KILL interrupts a connection

0x0D COM_DEBUG saves server debugging information

0x0E COM_PING Test Connectivity

0x0F COM_TIME (internal thread state)

0x10 COM_DELAYED_INSERT (internal thread state)

0x11 COM_CHANGE_USER re-login (continuous connection)

0x12 COM_BINLOG_DUMP gets binary log information

0x13 COM_TABLE_DUMP gets the structure information of the data table

0x14 COM_CONNECT_OUT (internal thread state)

0x15 COM_REGISTER_SLAVE registers from the server to the master server

0x16 COM_STMT_PREPARE preprocessing SQL statement

0x17 COM_STMT_EXECUTE executes preprocessing statements

0x18 COM_STMT_SEND_LONG_DATA sends data of type BLOB

0x19 COM_STMT_CLOSE destroy preprocessing statement

0x1A COM_STMT_RESET clears the preprocessing statement parameter cache

0x1B COM_SET_OPTION sets statement options

0x1C COM_STMT_FETCH gets the execution result of the preprocessing statement

Other types of protocol packet data are generated during the mysql request process, so we need to have a basic understanding of the mysql request process.

Introduction to mysql request process

1. Establish a three-way handshake for tcp connection

two。 Establish a connection with the Mysql server

Server-- > Client: Handshake (handshake)

1 byte: protocol version number

NullTerminatedString: database version information

4 bytes: connect thread ID started by MySQL Server

8 bytes: challenge random number for database authentication

1 byte: fill value (0x00)

2 bytes: used to negotiate communication with the client

1 byte: encoding of the database

2 bytes: server statu

13 bytes: reserved byte

12 bytes: challenge random number for database authentication

1 byte: fill value (0x00)

Client-- > Server: Authentication (authentication)

4 bytes: used to negotiate communication with the client

4 bytes: the maximum message length supported by the client when sending a request message

1 byte: identifies the character encoding used in communication

23 bytes: reserved byte

NullTerminatedString: user name

LengthEncodedString: encrypted password

NullTerminatedString: database name (optional)

Server-- > Client: returns the authentication result package

3. After the authentication is passed, the server receives the client command packet and returns the corresponding response packet.

At this point, the study on "how to analyze the tcpdump content of Mysql connection requests" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.