From: Kristian Nielsen Date: April 13 2009 6:40am Subject: Re: Client Authentication Packet w/ databasename List-Archive: http://lists.mysql.com/internals/36538 Message-Id: <87fxgd5a56.fsf@knielsen-hq.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Baron Schwartz writes: > OK, so peeking into the protocol is making me think about all sorts of > things I hadn't before. For one thing, I assume (but haven't any > proof) that not only can a network packet contain multiple protocol > packets, but a protocol packet could be fragmented across network > packets. An IPv4 packet can't be bigger than 65k, but a protocol > packet can be up to 16MB. True/false? True, to a much larger extent than this description implies. In the general case, there isn't really much correlation between how data is written in the application, and how data arrives on the packet level. An application-level write (say one protocol packet) can be split across network packets, multiple application writes can be coalesced in the same network packet, the same network packet can be sent multiple times, the order of network packets can be different than the order of the corresponding application writes, etc. On a simple switched LAN, things will often look somewhat nicer, of course. Fragmentation will happen for large application writes (the normal maximum network packet on ethernet is around 1500 bytes). Coalescing can happen if the Nagle algorithm is not disabled. > Of course, tcpdump isn't necessarily going to dump full packets. And Use `tcpdump -s 65535` to get full packets. As Eric mentioned that wireshark already has the ability to 1) assemble the network packet stream into the original application data stream, and 2) understands the MySQL client protocol, I will just mention that wireshark also has a command-line version that can dump the information in ASCII. Maybe this can help you. > Any thoughts are welcomed. Agree that a good tool like this could be very useful in many cases. - Kristian.