Merge remote-tracking branch 'origin/topic/vladg/mysql'

* origin/topic/vladg/mysql:
  Updating MySQL with Robin's suggestions:

BIT-1285 #merged

CHANGES

@@ -1,4 +1,16 @@
 
+2.3-390 | 2015-01-14 13:27:34 -0800
+
+  * Updating MySQL analyses. (Vlad Grigorescu)
+     - Use a boolean success instead of a result string.
+     - Change the affected_rows response detail string to a "rows" count.
+     - Fix the state tracking to log incomplete command.
+
+  * Extend DNP3 to support communication over UDP. (Hui Lin)
+
+  * Fix a bug in DNP3 determining the length of an object in some
+    cases. (Hui Lin)
+
 2.3-376 | 2015-01-12 09:38:10 -0600
 
   * Improve documentation for connection_established event. (Jon Siwek)

VERSION

@@ -1 +1 @@
-2.3-376
+2.3-390

scripts/base/protocols/mysql/main.bro

@@ -18,8 +18,10 @@ export {
 		cmd:	string	&log;
 		## The argument issued to the command
 		arg:	string	&log;
-		## The result (error, OK, etc.) from the server
+		## Did the server tell us that the command succeeded?
-		result: string &log &optional;
+		success: bool &log &optional;
+		## The number of affected rows, if any
+		rows: count &log &optional;
 		## Server message, if any
 		response: string &log &optional;
 	};
@@ -57,8 +59,14 @@ event mysql_handshake(c: connection, username: string)
 
 event mysql_command_request(c: connection, command: count, arg: string) &priority=5
 	{
-	if ( ! c?$mysql )
+	if ( c?$mysql )
 		{
+		# We got a request, but we haven't logged our
+		# previous request yet, so let's do that now.
+		Log::write(mysql::LOG, c$mysql);
+		delete c$mysql;
+		}
+
 	local info: Info;
 	info$ts = network_time();
 	info$uid = c$uid;
@@ -67,7 +75,6 @@ event mysql_command_request(c: connection, command: count, arg: string) &priorit
 	info$arg = sub(arg, /\0$/, "");
 	c$mysql = info;
 	}
-	}
 
 event mysql_command_request(c: connection, command: count, arg: string) &priority=-5
 	{
@@ -83,7 +90,7 @@ event mysql_error(c: connection, code: count, msg: string) &priority=5
 	{
 	if ( c?$mysql )
 		{
-		c$mysql$result = "error";
+		c$mysql$success = F;
 		c$mysql$response = msg;
 		}
 	}
@@ -101,8 +108,8 @@ event mysql_ok(c: connection, affected_rows: count) &priority=5
 	{
 	if ( c?$mysql )
 		{
-		c$mysql$result = "ok";
+		c$mysql$success = T;
-		c$mysql$response = fmt("Affected rows: %d", affected_rows);
+		c$mysql$rows = affected_rows;
 		}
 	}
 
@@ -114,3 +121,12 @@ event mysql_ok(c: connection, affected_rows: count) &priority=-5
 		delete c$mysql;
 		}
 	}
+
+event connection_state_remove(c: connection) &priority=-5
+	{
+	if ( c?$mysql )
+		{
+		Log::write(mysql::LOG, c$mysql);
+		delete c$mysql;
+		}
+	}

testing/btest/Baseline/core.print-bpf-filters/output2

@@ -4,7 +4,7 @@
 1 161
 1 162
 1 1812
-1 20000
+2 20000
 1 21
 1 2123
 1 2152
@@ -44,8 +44,8 @@
 1 992
 1 993
 1 995
-48 and
+49 and
-47 or
+48 or
-48 port
+49 port
 34 tcp
-14 udp
+15 udp

testing/btest/Baseline/plugins.hooks/output

@@ -5,7 +5,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
@@ -57,7 +58,8 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp)) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp)) -> <null>
@@ -104,7 +106,7 @@
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp)) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp})) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp})) -> <null>
-0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp})) -> <null>
+0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp})) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp})) -> <null>
 0.000000   MetaHookPost  CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp})) -> <null>
@@ -189,7 +191,7 @@
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Cluster::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Communication::LOG)) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::add_default_filter, (Conn::LOG)) -> <null>
@@ -283,8 +285,8 @@
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509])) -> <null>
 0.000000   MetaHookPost  CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
-0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
+0.000000   MetaHookPost  CallFunction(Log::write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])) -> <null>
 0.000000   MetaHookPost  CallFunction(Notice::want_pp, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::build, ()) -> <null>
 0.000000   MetaHookPost  CallFunction(PacketFilter::combine_filters, (ip or not ip, and, )) -> <null>
@@ -542,7 +544,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::__register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
@@ -594,7 +597,8 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_AYIYA, 5072/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 67/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DHCP, 68/udp))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3, 20000/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/tcp))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNP3_TCP, 20000/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 137/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/tcp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_DNS, 53/udp))
@@ -641,7 +645,7 @@
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_port, (Analyzer::ANALYZER_TEREDO, 3544/udp))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_AYIYA, {5072/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DHCP, {67<...>/udp}))
-0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3, {20000/tcp}))
+0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_DNS, {5355<...>/udp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_FTP, {2811<...>/tcp}))
 0.000000   MetaHookPre   CallFunction(Analyzer::register_for_ports, (Analyzer::ANALYZER_GTPV1, {2152<...>/udp}))
@@ -726,7 +730,7 @@
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::__create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::__write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Cluster::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Communication::LOG))
 0.000000   MetaHookPre   CallFunction(Log::add_default_filter, (Conn::LOG))
@@ -820,8 +824,8 @@
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (Weird::LOG, [columns=<no value description>, ev=Weird::log_weird]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (X509::LOG, [columns=<no value description>, ev=X509::log_x509]))
 0.000000   MetaHookPre   CallFunction(Log::create_stream, (mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql]))
-0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::default_path_func, (PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]))
-0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T]))
+0.000000   MetaHookPre   CallFunction(Log::write, (PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T]))
 0.000000   MetaHookPre   CallFunction(Notice::want_pp, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::build, ())
 0.000000   MetaHookPre   CallFunction(PacketFilter::combine_filters, (ip or not ip, and, ))
@@ -1079,7 +1083,8 @@
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
-0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
+0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 137/udp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/tcp)
 0.000000 | HookCallFunction Analyzer::__register_for_port(Analyzer::ANALYZER_DNS, 53/udp)
@@ -1131,7 +1136,8 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_AYIYA, 5072/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 67/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DHCP, 68/udp)
-0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3, 20000/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/tcp)
+0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNP3_TCP, 20000/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 137/udp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/tcp)
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_DNS, 53/udp)
@@ -1178,7 +1184,7 @@
 0.000000 | HookCallFunction Analyzer::register_for_port(Analyzer::ANALYZER_TEREDO, 3544/udp)
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_AYIYA, {5072/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DHCP, {67<...>/udp})
-0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3, {20000/tcp})
+0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNP3_TCP, {20000<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_DNS, {5355<...>/udp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_FTP, {2811<...>/tcp})
 0.000000 | HookCallFunction Analyzer::register_for_ports(Analyzer::ANALYZER_GTPV1, {2152<...>/udp})
@@ -1263,7 +1269,7 @@
 0.000000 | HookCallFunction Log::__create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::__create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::__create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::__write(PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Log::add_default_filter(Cluster::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Communication::LOG)
 0.000000 | HookCallFunction Log::add_default_filter(Conn::LOG)
@@ -1357,8 +1363,8 @@
 0.000000 | HookCallFunction Log::create_stream(Weird::LOG, [columns=<no value description>, ev=Weird::log_weird])
 0.000000 | HookCallFunction Log::create_stream(X509::LOG, [columns=<no value description>, ev=X509::log_x509])
 0.000000 | HookCallFunction Log::create_stream(mysql::LOG, [columns=<no value description>, ev=MySQL::log_mysql])
-0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::default_path_func(PacketFilter::LOG, , [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])
-0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1420494303.113424, node=bro, filter=ip or not ip, init=T, success=T])
+0.000000 | HookCallFunction Log::write(PacketFilter::LOG, [ts=1421274039.845117, node=bro, filter=ip or not ip, init=T, success=T])
 0.000000 | HookCallFunction Notice::want_pp()
 0.000000 | HookCallFunction PacketFilter::build()
 0.000000 | HookCallFunction PacketFilter::combine_filters(ip or not ip, and, )

testing/btest/Baseline/scripts.base.protocols.mysql.auth/mysql.log

@@ -3,19 +3,19 @@
 #empty_field	(empty)
 #unset_field	-
 #path	mysql
-#open	2014-09-05-03-02-01
+#open	2015-01-13-18-11-40
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	result	response
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
-#types	time	string	addr	port	addr	port	string	string	string	string
+#types	time	string	addr	port	addr	port	string	string	bool	count	string
-1362452327.618353	CsRx2w45OKnoww6xl4	192.168.1.3	55845	192.168.1.8	3306	login	root_nope	error	Access denied for user 'root_nope'@'lumberjack.home' (using password: NO)
+1362452327.618353	CsRx2w45OKnoww6xl4	192.168.1.3	55845	192.168.1.8	3306	login	root_nope	F	-	Access denied for user 'root_nope'@'lumberjack.home' (using password: NO)
-1362452330.947463	CRJuHdVW0XPVINV8a	192.168.1.3	55846	192.168.1.8	3306	login	root_nope	error	Access denied for user 'root_nope'@'lumberjack.home' (using password: YES)
+1362452330.947463	CRJuHdVW0XPVINV8a	192.168.1.3	55846	192.168.1.8	3306	login	root_nope	F	-	Access denied for user 'root_nope'@'lumberjack.home' (using password: YES)
-1362452332.571339	CPbrpk1qSsw6ESzHV4	192.168.1.3	55847	192.168.1.8	3306	login	root_nope	error	Access denied for user 'root_nope'@'lumberjack.home' (using password: YES)
+1362452332.571339	CPbrpk1qSsw6ESzHV4	192.168.1.3	55847	192.168.1.8	3306	login	root_nope	F	-	Access denied for user 'root_nope'@'lumberjack.home' (using password: YES)
-1362452334.559420	C6pKV8GSxOnSLghOa	192.168.1.3	55857	192.168.1.8	3306	login	root_nope	error	Access denied for user 'root_nope'@'lumberjack.home' (using password: YES)
+1362452334.559420	C6pKV8GSxOnSLghOa	192.168.1.3	55857	192.168.1.8	3306	login	root_nope	F	-	Access denied for user 'root_nope'@'lumberjack.home' (using password: YES)
-1362452336.361958	CIPOse170MGiRM1Qf4	192.168.1.3	55860	192.168.1.8	3306	login	root_nope	error	Access denied for user 'root_nope'@'lumberjack.home' (using password: YES)
+1362452336.361958	CIPOse170MGiRM1Qf4	192.168.1.3	55860	192.168.1.8	3306	login	root_nope	F	-	Access denied for user 'root_nope'@'lumberjack.home' (using password: YES)
-1362452357.320858	C7XEbhP654jzLoe3a	192.168.1.3	55861	192.168.1.8	3306	login	root	error	Access denied for user 'root'@'lumberjack.home' (using password: NO)
+1362452357.320858	C7XEbhP654jzLoe3a	192.168.1.3	55861	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: NO)
-1362452358.565340	CJ3xTn1c4Zw9TmAE05	192.168.1.3	55862	192.168.1.8	3306	login	root	error	Access denied for user 'root'@'lumberjack.home' (using password: YES)
+1362452358.565340	CJ3xTn1c4Zw9TmAE05	192.168.1.3	55862	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
-1362452360.410803	CMXxB5GvmoxJFXdTa	192.168.1.3	55863	192.168.1.8	3306	login	root	error	Access denied for user 'root'@'lumberjack.home' (using password: YES)
+1362452360.410803	CMXxB5GvmoxJFXdTa	192.168.1.3	55863	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
-1362452361.886123	Caby8b1slFea8xwSmb	192.168.1.3	55864	192.168.1.8	3306	login	root	error	Access denied for user 'root'@'lumberjack.home' (using password: YES)
+1362452361.886123	Caby8b1slFea8xwSmb	192.168.1.3	55864	192.168.1.8	3306	login	root	F	-	Access denied for user 'root'@'lumberjack.home' (using password: YES)
-1362452372.452858	Che1bq3i2rO3KD1Syg	192.168.1.3	55865	192.168.1.8	3306	login	root	ok	Affected rows: 0
+1362452372.452858	Che1bq3i2rO3KD1Syg	192.168.1.3	55865	192.168.1.8	3306	login	root	T	0	-
-1362452372.454995	Che1bq3i2rO3KD1Syg	192.168.1.3	55865	192.168.1.8	3306	query	select @@version_comment limit 1	ok	Affected rows: 1
+1362452372.454995	Che1bq3i2rO3KD1Syg	192.168.1.3	55865	192.168.1.8	3306	query	select @@version_comment limit 1	T	1	-
-1362452372.991997	Che1bq3i2rO3KD1Syg	192.168.1.3	55865	192.168.1.8	3306	quit	(empty)	-	-
+1362452372.991997	Che1bq3i2rO3KD1Syg	192.168.1.3	55865	192.168.1.8	3306	quit	(empty)	-	-	-
-#close	2014-09-05-03-02-01
+#close	2015-01-13-18-11-40

testing/btest/Baseline/scripts.base.protocols.mysql.wireshark/mysql.log

@@ -3,25 +3,25 @@
 #empty_field	(empty)
 #unset_field	-
 #path	mysql
-#open	2014-09-05-03-02-01
+#open	2015-01-13-18-12-10
-#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	result	response
+#fields	ts	uid	id.orig_h	id.orig_p	id.resp_h	id.resp_p	cmd	arg	success	rows	response
-#types	time	string	addr	port	addr	port	string	string	string	string
+#types	time	string	addr	port	addr	port	string	string	bool	count	string
-1216281025.136728	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	login	tfoerste	ok	Affected rows: 0
+1216281025.136728	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	login	tfoerste	T	0	-
-1216281025.137062	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	select @@version_comment limit 1	ok	Affected rows: 1
+1216281025.137062	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	select @@version_comment limit 1	T	1	-
-1216281030.835001	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	SELECT DATABASE()	ok	Affected rows: 1
+1216281030.835001	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	SELECT DATABASE()	T	1	-
-1216281030.835395	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	init_db	test	ok	Affected rows: 0
+1216281030.835395	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	init_db	test	T	0	-
-1216281030.835742	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	show databases	ok	Affected rows: 1
+1216281030.835742	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	show databases	T	1	-
-1216281030.836349	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	show tables	ok	Affected rows: 1
+1216281030.836349	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	show tables	T	1	-
-1216281030.836757	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	field_list	agent	ok	Affected rows: 3
+1216281030.836757	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	field_list	agent	T	3	-
-1216281048.287657	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM	ok	Affected rows: 0
+1216281048.287657	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	create table foo (id BIGINT( 10 ) UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY, animal VARCHAR(64) NOT NULL, name VARCHAR(64) NULL DEFAULT NULL) ENGINE = MYISAM	T	0	-
-1216281057.746222	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("dog", "Goofy")	ok	Affected rows: 1
+1216281057.746222	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("dog", "Goofy")	T	1	-
-1216281061.713980	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("cat", "Garfield")	ok	Affected rows: 1
+1216281061.713980	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	insert into foo (animal, name) values ("cat", "Garfield")	T	1	-
-1216281066.549786	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	ok	Affected rows: 3
+1216281066.549786	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	3	-
-1216281072.304467	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where name like '%oo%'	ok	Affected rows: 1
+1216281072.304467	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where name like '%oo%'	T	1	-
-1216281079.450037	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where id = 1	ok	Affected rows: 0
+1216281079.450037	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo where id = 1	T	0	-
-1216281087.437392	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	select count(*) from foo	ok	Affected rows: 1
+1216281087.437392	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	select count(*) from foo	T	1	-
-1216281109.107769	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	ok	Affected rows: 3
+1216281109.107769	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	select * from foo	T	3	-
-1216281116.209268	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo	ok	Affected rows: 1
+1216281116.209268	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	delete from foo	T	1	-
-1216281122.880561	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	drop table foo	ok	Affected rows: 0
+1216281122.880561	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	query	drop table foo	T	0	-
-1216281124.418765	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	quit	(empty)	-	-
+1216281124.418765	CXWv6p3arKYeMETxOg	192.168.0.254	56162	192.168.0.254	3306	quit	(empty)	-	-	-
-#close	2014-09-05-03-02-01
+#close	2015-01-13-18-12-10