MySQL抓包数据协议分析.docx
《MySQL抓包数据协议分析.docx》由会员分享,可在线阅读,更多相关《MySQL抓包数据协议分析.docx(26页珍藏版)》请在冰点文库上搜索。
MySQL抓包数据协议分析
MySQL抓包数据协议分析(客户端到服务端的通讯协议)
1典型的MySql会话过程
描述
一次正常的过程如下:
1)三次握手建立tcp连接
2)建立MySql连接
a)服务端往客户端发送握手初始化包(HandshakeInitializationPacket)
b)客户端往服务端发送验证包(ClientAuthenticationPacket)
c)服务端往客户端发送成功包
3)客户端与服务端之间交互
a)客户端往服务端发送命令包(CommandPacket)
b)服务端往客户端发送回应包(OKPacket,orErrorPacket,orResultSetPacket)
4)断开MySql连接
a)客户端往服务端发送退出命令包
5)四次握手断开tcp连接
1.2举例(使用tcpdump抓包)
客户端在命令行模式下使用命令:
mysql–uroot–pdbaudit–h连上数据库抓取的数据包如下:
1.2.1登陆
1)三次握手建立连接
19:
00:
22.534342IP>S8:
8(0)win8192
0x0000:
45000034043f400040060801c0a85665E..4.?
@.@.....Ve
0x0010:
c0a856cee8de0cea364d189e00000000..V.....6M......
0x0020:
80022000dbdd0000020405b401030302................
0x0030:
01010402....
19:
00:
22.534390IPS77:
77(0)ack9win5840
0x0000:
450000340000400040060c40c0a856ceE..4..@.@..@..V.
0x0010:
c0a856650ceae8dec4d71d4d364d189f..Ve.......M6M..
0x0020:
801216d002d30000020405b401010402................
0x0030:
01030307....
19:
00:
22.534916IP>.ack1win4380
0x0000:
45000028044040004006080cc0a85665E..(.@@.@.....Ve
0x0010:
c0a856cee8de0cea364d189fc4d71d4e..V.....6M.....N
0x0020:
5010111c49590000000000000000P...IY........
2)服务端向客户諯发送握手初始化包(HandshakeInitializationPacket)
19:
00:
22.535632IPP1:
79(78)ack1win46
0x0000:
450800760d3340004006fec2c0a856ceE..v.3@.@.....V.
0x0010:
c0a856650ceae8dec4d71d4e364d189f..Ve.......N6M..
0x0020:
5018002e2eed00004a0000000a352e35P.......J....5.5
0x0030:
2e323100820000002f7522467b582652.21...../u"F{X&R
0x0040:
00fff70802000f801500000000000000................
0x0050:
0000004b612840492d46565d53662900...Ka(@I-FV]Sf).
0x0060:
6d7973716c5f6e61746976655f706173mysql_native_pas
0x0070:
73776f726400sword.
3)客户端向服务端发送包含用户名密码的验证包(ClientAuthenticationPacket)
19:
00:
22.536678IP>P1:
63(62)ack79win4360
0x0000:
4500006604414000400607cdc0a85665E..f.A@.@.....Ve
0x0010:
c0a856cee8de0cea364d189fc4d71d9c..V.....6M......
0x0020:
50181108b2d000003a00000185a60300P.......:
.......
0x0030:
00000001080000000000000000000000................
0x0040:
000000000000000000000000726f6f74............root
0x0050:
0014ce031683429ecae8cb93543571f2......B.....T5q.
0x0060:
7439d8421922t9.B."
4)服务端向客户端发送一个空包(普通的tcp包,跟mysql无关)
19:
00:
22.536748IP.ack63win46
0x0000:
450800280d3440004006ff0fc0a856ceE..(.4@.@.....V.
0x0010:
c0a856650ceae8dec4d71d9c364d18dd..Ve........6M..
0x0020:
5010002e59bb0000P...Y...
5)服务端向客户端发送一个成功包(OKPacket)
19:
00:
22.536827IPP79:
90(11)ack63win46
0x0000:
450800330d3540004006ff03c0a856ceE..3.5@.@.....V.
0x0010:
c0a856650ceae8dec4d71d9c364d18dd..Ve........6M..
0x0020:
5018002e2eaa00000700000200000002P...............
0x0030:
000000...
6)客户端向服务端发送一个包(跟mysql似乎无关,包头不符合协议标准)
19:
00:
22.734205IP>.ack90win4357
0x0000:
450000280444400040060808c0a85665E..(.D@.@.....Ve
0x0010:
c0a856cee8de0cea364d18ddc4d71da7..V.....6M......
0x0020:
5010110548d90000000000000000P...H.........
1.2.2客户端与服务端之间交互
客户端输入:
usemysql
服务端返回:
Databasechanged
1)客户端向服务端发送一个命令包(类型为COM_QUERY)
19:
07:
56.352167IP>P1:
3(22)ack67win4357
0x0000:
4500003e04504000400607e6c0a85665E..>.P@.@.....Ve
0x0010:
c0a856cee8de0cea364d18ddc4d71da7..V.....6M......
0x0020:
50181105fe850000120000000353454cP............SEL
0x0030:
4543542044415441424153452829ECT.DATABASE()
2)服务端向客户端发送一个结果包(ResultSet)
一个ResultSet包含了多个包,每个包都有自己的包头包体,
下面这个返回数据就包含了五个包(1个ResultSetHeadPacket+1个FieldPacket+1个EOFPacket+1个RowDataPacket+1个EOFPacket)
19:
07:
56.352413IPP1:
65(64)ack22win46
0x0000:
450800680d3640004006fecdc0a856ceE..h.6@.@.....V.
0x0010:
c0a856650ceae8dec4d71da7364d18f3..Ve........6M..
0x0020:
5018002e2edf00000100000101200000P...............
0x0030:
02036465660000000a44415441424153..def....DATABAS
0x0040:
452829000c080022000000fd00001f00E()...."........
0x0050:
0005000003fe0000020001000004fb05................
0x0060:
000005fe00000200........
3)客户端向服务端发送一个命令包(类型为COM_INIT_DB)
19:
07:
56.353134IP>P22:
32(10)ack65win4341
0x0000:
4500003204514000400607f1c0a85665E..2.Q@.@.....Ve
0x0010:
c0a856cee8de0cea364d18f3c4d71de7..V.....6M......
0x0020:
501810f55534000006000000026d7973P...U4.......mys
0x0030:
716cql
4)服务端向客户端发送一个成功包(OKPacket)
19:
07:
56.367217IPP65:
76(11)ack32win46
0x0000:
450800330d3740004006ff01c0a856ceE..3.7@.@.....V.
0x0010:
c0a856650ceae8dec4d71de7364d18fd..Ve........6M..
0x0020:
5018002e2eaa00000700000100000002P...............
0x0030:
000000...
5)客户端向服务端发送一个包(跟mysql没什么关系,包头为00000000)
19:
07:
56.561717IP>.ack76win4339
0x0000:
4500002804554000400607f7c0a85665E..(.U@.@.....Ve
0x0010:
c0a856cee8de0cea364d18fdc4d71df2..V.....6M......
0x0020:
501010f348800000000000000000P...H.........
客户端输入:
showtables
服务端返回:
查询结果,当前数据库中所有的表
1)客户端向服务端发送一个命令包(类型为COM_QUERY)
19:
22:
17.971933IP>P3:
9(16)ack42win4339
0x0000:
4500003804664000400607d6c0a85665E..8.f@.@.....Ve
0x0010:
c0a856cee8de0cea364d18fdc4d71df2..V.....6M......
0x0020:
501810f31d2400000c0000000373686fP....$.......sho
0x0030:
77207461626c6573w.tables
2)服务端向客户端发送一个普通的tcp包
19:
22:
18.011368IP.ack16win46
0x0000:
450800280d3840004006ff0bc0a856ceE..(.8@.@.....V.
0x0010:
c0a856650ceae8dec4d71df2364d190d..Ve........6M..
0x0020:
5010002e59350000P...Y5..
3)服务端向客户端发送一个响应结果包(ResultPackets)
19:
22:
18.031320IPP1:
521(520)ack16win46
0x0000:
450802300d3940004006fd02c0a856ceE..0.9@.@.....V.
0x0010:
c0a856650ceae8dec4d71df2364d190d..Ve........6M..
0x0020:
5018002e30a700000100000101570000P...0........W..
0x0030:
020364656612696e666f726d6174696f..def.informatio
0x0040:
6e5f736368656d610b5441424c455f4en_schema.TABLE_N
0x0050:
414d45530b5441424c455f4e414d4553AMES.TABLE_NAMES
0x0060:
0f5461626c65735f696e5f6d7973716c.Tables_in_mysql
0x0070:
0a5441424c455f4e414d450c08004000.TABLE_NAME...@.
0x0080:
0000fd010000000005000003fe000022..............."
0x0090:
000d0000040c636f6c756d6e735f7072......columns_pr
0x00a0:
6976030000050264620a000006096462iv.....db.....db
0x00b0:
5f6f705f6c6f6706000007056576656e_op_log.....even
0x00c0:
74050000080466756e630c0000090b67t.....func.....g
0x00d0:
656e6572616c5f6c6f670e00000a0d68eneral_log.....h
0x00e0:
656c705f63617465676f72790d00000belp_category....
0x00f0:
0c68656c705f6b6579776f72640e0000.help_keyword...
0x0100:
0c0d68656c705f72656c6174696f6e0b..help_relation.
0x0110:
00000d0a68656c705f746f7069630500....help_topic..
0x0120:
000e04686f73741100000f106e64625f...host.....ndb_
0x0130:
62696e6c6f675f696e64657807000010binlog_index....
0x0140:
06706c7567696e050000110470726f63.plugin.....proc
0x0150:
0b0000120a70726f63735f707269760d.....procs_priv.
0x0160:
0000130c70726f786965735f70726976....proxies_priv
0x0170:
08000014077365727665727309000015.....servers....
0x0180:
08736c6f775f6c6f670c0000160b7461.slow_log.....ta
0x0190:
626c65735f7072697605000017047465bles_priv.....te
0x01a0:
7374060000180574657374310a000019st.....test1....
0x01b0:
0974696d655f7a6f6e651600001a1574.time_zone.....t
0x01c0:
696d655f7a6f6e655f6c6561705f7365ime_zone_leap_se
0x01d0:
636f6e640f00001b0e74696d655f7a6fcond.....time_zo
0x01e0:
6e655f6e616d651500001c1474696d65ne_name.....time
0x01f0:
5f7a6f6e655f7472616e736974696f6e_zone_transition
0x0200:
1a00001d1974696d655f7a6f6e655f74.....time_zone_t
0x0210:
72616e736974696f6e5f747970650500ransition_type..
0x0220:
001e04757365720500001ffe00002200...user.......".
4)客户端向服务端发送一个普通的tcp包
19:
22:
18.232503IP>.ack521win4209
0x0000:
45000028046b4000400607e1c0a85665E..(.k@.@.....Ve
0x0010:
c0a856cee8de0cea364d190dc4d71ffa..V.....6M......
0x0020:
5010107146ea0000000000000000P..qF.........
1.2.3退出
客户端在命令行模式下输入命令:
quit退出数据库
1)客户端向服务端发送一个退出的命令包
15:
50:
46.533701IP>P0:
5(5)ack79win4357
0x0000:
4500002d039d4000400608aac0a85665E..-..@.@.....Ve
0x0010:
c0a856cee58f0cea317644b4c11e6e97..V.....1vD...n.
0x0020:
50181105d5e30000010000000100P.............
2)三次握手断开连接(断开连接不是四次握手吗?
但实际情况下测试如果是正常的退出只有三次握手的过程)
15:
50:
46.533733IP>F5:
5(0)ack1win4357
0x0000:
45000028039e4000400608aec0a85665E..(..@.@.....Ve
0x0010:
c0a856cee58f0cea317644b9c11e6e97..V.....1vD...n.
0x0020:
50111105d7ea0000000000000000P.............
15:
50:
46.533854IPF1:
1(0)ack6win46
0x0000:
45080028648b40004006a7b8c0a856ceE..(d.@.@.....V.
0x0010:
c0a856650ceae58fc11e6e97317644ba..Ve......n.1vD.
0x0020:
5011002ee8c00000P.......
15:
50:
46.534434IP>.ack2win4357
0x0000:
45000028039f4000400608adc0a85665E..(..@.@.....Ve
0x0010:
c0a856cee58f0cea317644bac11e6e98..V.....1vD...n.
0x0020:
50101105d7e90000000000000000P.............
2.MySql数据包结构的描述
2.1包头(PacketHeader)
每个数据包都有一个包头,具体格式如下:
BytesName
---------
3PacketLength
1PacketNumber
PacketLength:
Thelength,inbytes,ofthepacket
thatfollowsthePacketHeader.There
maybesomespecialvaluesinthemost
significantbyte.Themaximumpacket
lengthis(2**24-1),about16MB.
PacketNumber:
Aserialnumberwhichcanbeusedto
ensurethatallpacketsarepresent
andinorder.Thefirstpacketofa
clientquer