Baron Schwartz <baron@stripped> writes:
> OK, so peeking into the protocol is making me think about all sorts of
> things I hadn't before. For one thing, I assume (but haven't any
> proof) that not only can a network packet contain multiple protocol
> packets, but a protocol packet could be fragmented across network
> packets. An IPv4 packet can't be bigger than 65k, but a protocol
> packet can be up to 16MB. True/false?
True, to a much larger extent than this description implies. In the general
case, there isn't really much correlation between how data is written in the
application, and how data arrives on the packet level. An application-level
write (say one protocol packet) can be split across network packets, multiple
application writes can be coalesced in the same network packet, the same
network packet can be sent multiple times, the order of network packets can be
different than the order of the corresponding application writes, etc.
On a simple switched LAN, things will often look somewhat nicer, of
course. Fragmentation will happen for large application writes (the normal
maximum network packet on ethernet is around 1500 bytes). Coalescing can
happen if the Nagle algorithm is not disabled.
> Of course, tcpdump isn't necessarily going to dump full packets. And
Use `tcpdump -s 65535` to get full packets.
As Eric mentioned that wireshark already has the ability to 1) assemble the
network packet stream into the original application data stream, and 2)
understands the MySQL client protocol, I will just mention that wireshark also
has a command-line version that can dump the information in ASCII. Maybe this
can help you.
> Any thoughts are welcomed.
Agree that a good tool like this could be very useful in many cases.