Extract mysql query from tcpdump - mysql

I'm using tcpdump to capture TCP packet from port 3306 which is forwarded to MySQL server
sudo tcpdump -X -i ens5 -s 0 -tttt dst port 3306
and executed SQL select * from user_trading_volume limit 1 from MySQL client
the captured result is below
2020-05-27 07:46:44.330084 IP ip-10-0-1-33.ap-northeast-2.compute.internal.59750 > ip-10-30-1-179.ap-northeast-2.compute.internal.mysql: Flags [P.], seq 1945:2020, ack 16715, win 512, options [nop,nop,TS val 3790143765 ecr 4258512397], length 75
0x0000: 4500 007f 54fb 4000 4006 ce8c 0a00 0121 E...T.#.#......!
0x0010: 0a1e 01b3 e966 0cea 76a0 9245 c975 2466 .....f..v..E.u$f
0x0020: 8018 0200 1763 0000 0101 080a e1e9 0115 .....c..........
0x0030: fdd3 be0d 1703 0300 46f5 525d 17c9 20ac ........F.R]....
0x0040: 62e6 fcdc ba82 11fc 91c2 c187 7ca8 a542 b...........|..B
0x0050: 6ed8 a1fa b1d8 01bd 1240 61d9 686e 183d n........#a.hn.=
0x0060: f2fc 9b9a a62d c212 8d4d e1c6 e67a 4bdc .....-...M...zK.
0x0070: ea2e 75dc 68cf 5c45 1721 2ced c511 ca ..u.h.\E.!,....
2020-05-27 07:46:44.331029 IP ip-10-0-1-33.ap-northeast-2.compute.internal.59750 > ip-10-30-1-179.ap-northeast-2.compute.internal.mysql: Flags [.], ack 17677, win 505, options [nop,nop,TS val 3790143766 ecr 4258513778], length 0
0x0000: 4500 0034 54fc 4000 4006 ced6 0a00 0121 E..4T.#.#......!
0x0010: 0a1e 01b3 e966 0cea 76a0 9290 c975 2828 .....f..v....u((
0x0020: 8010 01f9 1718 0000 0101 080a e1e9 0116 ................
0x0030: fdd3 c372
but the captured packet was not readable (Which means not ASCII)
I'm using AWS aurora (mysql 5.7)
Does anyone knows what this packet means?
PS.
I tried it in my local environment too and could retrieve matching SQL from packet as below
(run mysql within docker container and executed query through mysql workbench)
16:59:46.628631 IP (tos 0x0, ttl 64, id 59587, offset 0, flags [DF], proto TCP (6), length 98)
view-localhost.52652 > view-localhost.3318: Flags [P.], cksum 0xfe56 (incorrect -> 0x1538), seq 61:107, ack 899, win 512, options [nop,nop,TS val 632447157 ecr 632447154], length 46
E..b..#.#.S...............#....=.....V.....
%.`.%.`.*....select * from user_trading_volume limit 1

Looking at the first byte, this looks like two raw IP packets (45 => IP version 4, typical 20byte header (5 * 4 bytes). Wikipedia has more info on IP headers.
Converting to pcap
Thus, we should be able to convert this back to a pcap. We can convert this text dump to a packet capture using text2pcap, which is a command line utility that ships with Wireshark.
With the given text as file temp, we can convert it into a pcap
$ cat temp | grep -v 2020 | cut -c3-49 | sed 's/ \(\w\w\)/ \1 /g' \
| text2pcap -l 101 - temp.pcap
Input from: Standard input
Output to: temp.pcap
Output format: pcap
Wrote packet of 127 bytes.
Wrote packet of 52 bytes.
Read 2 potential packets, wrote 2 packets (235 bytes).
Sanitizing text2pcap input
Here, we sanitize input so that text2pcap doesn't fail:
grev -v 2020: remove the 2020... info lines
cut -c3-49: Remove the preceding 0x and ASCII representation
sed 's/ \(\w\w\)/ \1 /g': Convert hexdump from 2 bytes then space to 1 byte then space (09ab => 09 ab)
text2pcap -l 101 - temp.cap: Read from stdin and write to temp.pcap as Raw IP packets (see below)
You can now view this capture in Wireshark to see what the fields are.
Figuring out the linklayer number for text2pcap
Going back to the initial byte, that byte starts the IP layer when normally a link layer like Ethernet starts the packet. That means that we can't use the typical link layer of 1 (Ethernet). The link layer for raw IP is 101, so we need to specify that with text2pcap as -l 101. - is standard input, and then we write the file as temp.pcap.
What does the packet mean?
When loaded in Wireshark, packet 1 has a payload of 75 bytes, and it's not ASCII. You will probably want to manually decode these bytes using the MySQL protocol reference. Because according to docs,
The MySQL protocol is used between MySQL Clients and a MySQL Server.

you can using tcpdump capture the data, and then using option -w redirect it to files.
then using wireshark to load it.
https://www.wireshark.org/docs/wsug_html_chunked/AppToolstcpdump.html

Related

can't run '/etc/init.d/rcS': No such file or directory

I am trying to emulate a firmware image using qemu. During booting, I get the following error
can't run '/etc/init.d/rcS': No such file or directory
can't open /dev/ttyS0: No such file or directory
can't open /dev/ttyS0: No such file or directory
can't open /dev/ttyS0: No such file or directory
.
.
.
This is the content of the inittab file
# Startup the system
null::sysinit:/etc/init.d/rc.sysinit
# now run any rc scripts
::sysinit:/etc/init.d/rcS
# Put a getty on the serial port
ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100
# Stuff to do before rebooting
null::shutdown:/bin/umount -a -r
It is able to run the rc.sysinit, but not the rcS.
I have checked permissions of the rcS. Also, the filesystem is mounted as read-only cramfs. Could this be causing an issue?
This is the command I am running:
QEMU_AUDIO_DRV=none \qemu-system-arm -m 256M -M versatilepb
-kernel ~/linux-2.6.23/arch/arm/boot/zImage
-append "console=ttyAMA0,115200 root=/dev/ram rdinit=/sbin/init"
-initrd ~/tmpcramfs2
-nographic
These are the boot messages obtained on running the command:
Linux version 2.6.23 (hsailer#SvanteArrhenius) (gcc version 4.0.2) #1 Thu May 27 09:31:10 EDT 2021
CPU: ARM926EJ-S [41069265] revision 5 (ARMv5TEJ), cr=00093177
Machine: ARM-Versatile PB
Memory policy: ECC disabled, Data cache writeback
CPU0: D VIVT write-through cache
CPU0: I cache: 4096 bytes, associativity 4, 32 byte lines, 32 sets
CPU0: D cache: 65536 bytes, associativity 4, 32 byte lines, 512 sets
Built 1 zonelists in Zone order. Total pages: 65024
Kernel command line: console=ttyAMA0,115200 root=/dev/ram rdinit=/sbin/init
PID hash table entries: 1024 (order: 10, 4096 bytes)
Console: colour dummy device 80x30
Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
Memory: 256MB = 256MB total
Memory: 249600KB available (2508K code, 227K data, 100K init)
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
NET: Registered protocol family 16
NET: Registered protocol family 2
Time: timer3 clocksource has been installed.
IP route cache hash table entries: 2048 (order: 1, 8192 bytes)
TCP established hash table entries: 8192 (order: 4, 65536 bytes)
TCP bind hash table entries: 8192 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 8192 bind 8192)
TCP reno registered
checking if image is initramfs...it isn't (bad gzip magic numbers); looks like an initrd
Freeing initrd memory: 7184K
NetWinder Floating Point Emulator V0.97 (double precision)
Installing knfsd (copyright (C) 1996 okir#monad.swb.de).
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
JFS: nTxBlock = 2007, nTxLock = 16063
io scheduler noop registered
io scheduler anticipatory registered (default)
io scheduler deadline registered
io scheduler cfq registered
CLCD: Versatile hardware, VGA display
Clock CLCDCLK: setting VCO reg params: S=1 R=99 V=98
Console: switching to colour frame buffer device 80x60
Serial: AMBA PL011 UART driver
dev:f1: ttyAMA0 at MMIO 0x101f1000 (irq = 12) is a AMBA/PL011
console [ttyAMA0] enabled
dev:f2: ttyAMA1 at MMIO 0x101f2000 (irq = 13) is a AMBA/PL011
dev:f3: ttyAMA2 at MMIO 0x101f3000 (irq = 14) is a AMBA/PL011
fpga:09: ttyAMA3 at MMIO 0x10009000 (irq = 38) is a AMBA/PL011
RAMDISK driver initialized: 16 RAM disks of 8192K size 1024 blocksize
smc91x.c: v1.1, sep 22 2004 by Nicolas Pitre <nico#cam.org>
eth0: SMC91C11xFD (rev 1) at d098e000 IRQ 25 [nowait]
eth0: Ethernet addr: 52:54:00:12:34:56
armflash.0: Found 1 x32 devices at 0x0 in 32-bit bank
Intel/Sharp Extended Query Table at 0x0031
Using buffer write method
RedBoot partition parsing not available
afs partition parsing not available
armflash: probe of armflash.0 failed with error -22
mice: PS/2 mouse device common for all mice
input: AT Raw Set 2 keyboard as /class/input/input0
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
VFP support v0.3: implementor 41 architecture 1 part 10 variant 9 rev 0
input: ImExPS/2 Generic Explorer Mouse as /class/input/input1
RAMDISK: cramfs filesystem found at block 0
RAMDISK: Loading 7184KiB [1 disk] into ram disk... done.
VFS: Mounted root (cramfs filesystem) readonly.
Freeing init memory: 100K
can't run '/etc/init.d/rcS': No such file or directory
can't open /dev/ttyS0: No such file or directory
can't open /dev/ttyS0: No such file or directory
can't open /dev/ttyS0: No such file or directory
.
.
.
The errors about /dev/ttyS0 are because your inittab is specifying the wrong device name for the serial port for the (emulated) hardware you're running on. Your QEMU command specifies the 'versatilepb' board, whose serial devices are PL011s, which appear in /dev/ as /dev/ttyAMA0, /dev/ttyAMA1, etc. (/dev/ttyS0 is what the serial ports on an x86 PC appear as.) You need to fix that line of the inittab to refer to ttyAMA0 instead.
For the rcS error, I would suggest you start by double-checking all the things listed in all the responses to this older question.

tcpdump: how does tcpdump get the hostname details?

Ι am using the below filter to capture all outgoing HTTPS traffic.
tcpdump "port 443 and src host 192.168.0.4"
13:43:54.343747 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags
[R], seq 1287671898, win 0, length 0 13:43:54.343843 IP
192.168.0.4.39358 > stackoverflow.com.https: Flags [R], seq 1287671899, win 0, length 0 13:43:54.343887 IP 192.168.0.4.39358 >
stackoverflow.com.https: Flags [R], seq 1287671898, win 0, length 0
13:43:54.343931 IP 192.168.0.4.39358 > stackoverflow.com.https: Flags
[R], seq 1287671898, win 0, length 0
How is tcpdump getting the hostname(stackoverflow.com.https) details,if it only sniffs into the tcp layer??
If you run tcpdump without specifying the -n option, it will perform a reverse DNS lookup for every IP address within the capture file as it displays those packets.
Generally, when using this tool for analysis, it is preferred to specify the -n option, which will dramatically increase the overall performance of the tool since it will no longer be generating lots of DNS lookups.

Using Wireshark to extract payload from captured packets to in CSV file

I run Wireshark to capture packets generated from my simulation. I use File > Export Packet Dissection > As CSV... to extract the captured packets into CSV file in order to do some machine learning. The following is an example of I got:
No.| Time| Source| Destination| Protocol| Length| Info|
1 0.45 127.0.0.1 127.0.0.1 TCP 76 40656 > 6633 [SYN] Seq=0 Win=43690 Len=0 MSS=65495 SACK_PERM=1 TSval=454250 TSecr=0 WS=512
My question is: How do I get the payload itself from the packet?
Extracting the payload can be difficult, depends on link encryption. In case the link is unencrypted It's possible in some cases and CSV is one of them. Please follow this link. Let me know if that worked for you.

Tcpdump capturing Ethernet frames

How can i use tcpdump to capture Ethernet frames and display any frame sent or received by the local PC with one of the UDP, ARP, and ICMP protocols.
I was trying this command:
sudo tcpdump -e udp or arp or icmp
but, i thinks it's wrong.
I can give you an example, how you can capture enthernet frame from your localhost.
sudo tcpdump -i lo -nnvvvexxXXKS -s0
for capturing the frame we used "exxXX"
Do use tcpdump -e. Here's an example of the output:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:36:02.408697 02:42:ac:11:00:02 (oui Unknown) > 02:42:ac:11:00:03 (oui Unknown), ethertype IPv4 (0x0800), length 74: client.60546 > yahoo.com.80: Flags [S], seq 1673384407, win 64240, options [mss 1460,sackOK,TS val 2181456358 ecr 0,nop,wscale 7], length 0
In this example, you can see frame fields such as the MAC addresses (e.g. 02:42:ac:11:00:03) and the frame type (e.g. ethertype IPv4 0x0800).
From the manpage:
If the '-e' option is given, the link level header is printed out. On Ethernets, the source and destination addresses, protocol, and packet length are printed.
On FDDI networks, the '-e' option causes tcpdump to print the `frame control' field, the source and destination addresses, and the packet length. (The `frame control' field governs the interpretation of the rest of the packet. Normal packets (such as those containing IP datagrams) are `async' packets, with a priority value between 0 and 7; for example, `async4'. Such packets are assumed to contain an 802.2 Logical Link Control (LLC) packet; the LLC header is printed if it is not an ISO datagram or a so-called SNAP packet.
On Token Ring networks, the '-e' option causes tcpdump to print the `access control' and `frame control' fields, the source and destination addresses, and the packet length. As on FDDI networks, packets are assumed to contain an LLC packet. Regardless of whether the '-e' option is specified or not, the source routing information is printed for source-routed packets.
On 802.11 networks, the '-e' option causes tcpdump to print the `frame control' fields, all of the addresses in the 802.11 header, and the packet length. As on FDDI net‐works, packets are assumed to contain an LLC packet.
First of all, you are interested in packets, not frames. Frames are a layer below packets and only chip manufacturers are concerned with them. Second, you must specify your interface with the -i switch or promiscuous mode won't be even activated for you to see everything - if that's what you want.

how to unsquashfs or mount a firmware image?

i want to extract my routers firmware, and modify it. so i used bitsum's firmware mod kit. it seems there is no error. i can get image_parts directory also there is rootfs.img (squashfs image) file. but the problem is i can neither mount it nor unsquashfs.
This is extraction output:
# ./extract-ng.sh AirTies_Air5021RU_FW_1.2.0.16_FullImage.bin
Firmware Mod Kit (extract-ng) 0.69 beta, (c)2011 Craig Heffner, Jeremy Collake
http://www.bitsum.com
Scanning firmware...
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
65228 0xFECC Squashfs filesystem, big endian, version 2.0, size: 1369418 bytes, 382 inodes, blocksize: 65536 bytes, created: Tue May 3 13:44:22 2011
Extracting 65228 bytes of header image at offset 0
Extracting squashfs file system at offset 65228
Extracting 160 byte footer from offset 1972107
Extracting squashfs files...
Firmware extraction successful!
Firmware parts can be found in 'fmk/*'
Mount attempt output:
fmk# ls
image_parts logs rootfs
fmk# cd image_parts/
fmk/image_parts# ls
footer.img header.img rootfs.img
fmk/image_parts# file rootfs.img
rootfs.img: Squashfs filesystem, big endian, version 2.0, 1369418 bytes, 382 inodes, blocksize: 65536 bytes, created: Tue May 3 13:44:22 2011
fmk/image_parts# mount rootfs.img /mnt/rootfs/ -o loop -t squashfs
mount: wrong fs type, bad option, bad superblock on /dev/loop0,
missing codepage or helper program, or other error
In some cases useful info is found in syslog - try
dmesg | tail or so
fmk/image_parts# dmesg | tail -n 1
[24799.284066] SQUASHFS error: Can't find a SQUASHFS superblock on loop0
unsquashfs attempt output:
fmk/image_parts# unsquashfs rootfs.img
Reading a different endian SQUASHFS filesystem on rootfs.img
Parallel unsquashfs: Using 1 processor
336 inodes (377 blocks) to write
[=============================| ] 99/377 26%
gzip uncompress failed with error code -3
Failed to write squashfs-root/lib/libqueue.so, skipping
[=============================| ] 100/377 26%
gzip uncompress failed with error code -3
gzip uncompress failed with error code -3
gzip uncompress failed with error code -3
...
Failed to write squashfs-root/lib/modules/2.6.8.1/extra/blaa_dd.ko, skipping
[====================================| ] 123/377 32%
gzip uncompress failed with error code -3
gzip uncompress failed with error code -3
...
Failed to write squashfs-root/webs/management/ui_password.html, skipping
[========================================================| ] 191/377 50%
gzip uncompress failed with error code -3
Failed to write squashfs-root/webs/index.html, skipping
[========================================================| ] 192/377 50%
gzip uncompress failed with error code -3
...
Failed to write squashfs-root/usr/sbin/brctl, skipping
[===============================================================================================================|] 377/377 100%
created 188 files
created 46 directories
created 52 symlinks
created 95 devices
created 1 fifos
i searched "error code -3", it is Z_DATA_ERROR ( data is corrupted or incomplete ).
now what should i do?
thanks
Bcm63xx firmware images has a special format like squashfs-lzma. i got some tools to extract firmware images named bcm tools (brfwmod.exe). It has a command named lzma-unsquash. i successfully unaquash it with theese tools.