/src/ndpi/src/lib/protocols/mysql.c

Source (jump to first uncovered line)
/*
 * mysql.c
 * 
 * Copyright (C) 2009-11 - ipoque GmbH
 * Copyright (C) 2011-25 - ntop.org
 * Copyright (C) 2024 - V.G <v.gavrilov@securitycode.ru>
 *
 * This file is part of nDPI, an open source deep packet inspection
 * library based on the OpenDPI and PACE technology by ipoque GmbH
 *
 * nDPI is free software: you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as published by
 * the Free Software Foundation, either version 3 of the License, or
 * (at your option) any later version.
 *
 * nDPI is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public License
 * along with nDPI.  If not, see <http://www.gnu.org/licenses/>.
 *
 */


#include "ndpi_protocol_ids.h"

#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MYSQL

#include "ndpi_api.h"
#include "ndpi_private.h"

static void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct *ndpi_struct, struct ndpi_flow_struct *flow)
{
  struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;

  NDPI_LOG_DBG(ndpi_struct, "search MySQL\n");

  if(packet->payload_packet_len > 70 && packet->payload_packet_len < 120) {
    u_int32_t length = (packet->payload[2] << 16) + (packet->payload[1] << 8) + packet->payload[0];

    if ((u_int32_t)(packet->payload_packet_len-4) == length && 
        packet->payload[4] == 0x0A && ((memcmp(&packet->payload[5], "5.5.5-", 6) == 0) || 
        (packet->payload[5] > 0x33 && packet->payload[5] < 0x39)))
    {
      if ((memcmp(&packet->payload[packet->payload_packet_len-10], "_password", 9) == 0) ||
          (memcmp(&packet->payload[packet->payload_packet_len-10], "_kerberos", 9) == 0) ||
          (memcmp(&packet->payload[packet->payload_packet_len-9], "_windows", 8) == 0) ||
          (memcmp(&packet->payload[packet->payload_packet_len-8], "_simple", 7) == 0) ||
          (memcmp(&packet->payload[packet->payload_packet_len-8], "_gssapi", 7) == 0) ||
          (memcmp(&packet->payload[packet->payload_packet_len-5], "_pam", 4) == 0))
      {
        NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
        ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
        return;
      }
    }
  }

  NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
}


void init_mysql_dissector(struct ndpi_detection_module_struct *ndpi_struct)
{
  register_dissector("MySQL", ndpi_struct,
                     ndpi_search_mysql_tcp,
                     NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
                      1, NDPI_PROTOCOL_MYSQL);
}

Coverage Report

Created: 2025-06-13 06:05

Line	Count	Source (jump to first uncovered line)
1		/*
2		* mysql.c
3		*
4		* Copyright (C) 2009-11 - ipoque GmbH
5		* Copyright (C) 2011-25 - ntop.org
6		* Copyright (C) 2024 - V.G <v.gavrilov@securitycode.ru>
7		*
8		* This file is part of nDPI, an open source deep packet inspection
9		* library based on the OpenDPI and PACE technology by ipoque GmbH
10		*
11		* nDPI is free software: you can redistribute it and/or modify
12		* it under the terms of the GNU Lesser General Public License as published by
13		* the Free Software Foundation, either version 3 of the License, or
14		* (at your option) any later version.
15		*
16		* nDPI is distributed in the hope that it will be useful,
17		* but WITHOUT ANY WARRANTY; without even the implied warranty of
18		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19		* GNU Lesser General Public License for more details.
20		*
21		* You should have received a copy of the GNU Lesser General Public License
22		* along with nDPI. If not, see <http://www.gnu.org/licenses/>.
23		*
24		*/
25
26
27		#include "ndpi_protocol_ids.h"
28
29		#define NDPI_CURRENT_PROTO NDPI_PROTOCOL_MYSQL
30
31		#include "ndpi_api.h"
32		#include "ndpi_private.h"
33
34		static void ndpi_search_mysql_tcp(struct ndpi_detection_module_struct ndpi_struct, struct ndpi_flow_struct flow)
35	0	{
36	0	struct ndpi_packet_struct const * const packet = &ndpi_struct->packet;
37
38	0	NDPI_LOG_DBG(ndpi_struct, "search MySQL\n");
39
40	0	if(packet->payload_packet_len > 70 && packet->payload_packet_len < 120) {
41	0	u_int32_t length = (packet->payload[2] << 16) + (packet->payload[1] << 8) + packet->payload[0];
42
43	0	if ((u_int32_t)(packet->payload_packet_len-4) == length &&
44	0	packet->payload[4] == 0x0A && ((memcmp(&packet->payload[5], "5.5.5-", 6) == 0) \|\|
45	0	(packet->payload[5] > 0x33 && packet->payload[5] < 0x39)))
46	0	{
47	0	if ((memcmp(&packet->payload[packet->payload_packet_len-10], "_password", 9) == 0) \|\|
48	0	(memcmp(&packet->payload[packet->payload_packet_len-10], "_kerberos", 9) == 0) \|\|
49	0	(memcmp(&packet->payload[packet->payload_packet_len-9], "_windows", 8) == 0) \|\|
50	0	(memcmp(&packet->payload[packet->payload_packet_len-8], "_simple", 7) == 0) \|\|
51	0	(memcmp(&packet->payload[packet->payload_packet_len-8], "_gssapi", 7) == 0) \|\|
52	0	(memcmp(&packet->payload[packet->payload_packet_len-5], "_pam", 4) == 0))
53	0	{
54	0	NDPI_LOG_INFO(ndpi_struct, "found MySQL\n");
55	0	ndpi_set_detected_protocol(ndpi_struct, flow, NDPI_PROTOCOL_MYSQL, NDPI_PROTOCOL_UNKNOWN, NDPI_CONFIDENCE_DPI);
56	0	return;
57	0	}
58	0	}
59	0	}
60
61	0	NDPI_EXCLUDE_DISSECTOR(ndpi_struct, flow);
62	0	}
63
64
65		void init_mysql_dissector(struct ndpi_detection_module_struct *ndpi_struct)
66	1	{
67	1	register_dissector("MySQL", ndpi_struct,
68	1	ndpi_search_mysql_tcp,
69	1	NDPI_SELECTION_BITMASK_PROTOCOL_V4_V6_TCP_WITH_PAYLOAD_WITHOUT_RETRANSMISSION,
70	1	1, NDPI_PROTOCOL_MYSQL);
71	1	}