Analyzing MySQL 5.7 Unencrypted and MySQL 8.0 Encrypted Connections via Packet Capture

The article begins with an introduction that references a previous post about MySQL 8.0's caching_sha2_password authentication plugin and states the goal of examining encrypted connections from a network‑capture perspective.

1. MySQL 5.7 Unencrypted Connection

Environment: MySQL 5.7.25, tcpdump 4.9.2, Wireshark 3.2.2.

1.1 Capture traffic

tcpdump -i eth0 -s 0 host 10.186.65.69 and port 3306 -w ./5.7.cap

1.2 Execute test SQL via TCP

shell> mysql -uroot -pxxxx -h10.186.60.73 -P3306
mysql> show databases;
mysql> select * from qinfulang.sbtest1 limit 1;
mysql> exit

1.3 Analyze the capture with Wireshark

Wireshark screenshots show that without encryption the SQL statements are visible in packets 9‑20, demonstrating a serious security risk.

Tip: In Wireshark, enable Protocols → MySQL to display SQL queries in the Info column.

2. MySQL 8.0 Encrypted Connection

Environment: MySQL 8.0.15, tcpdump 4.9.2, Wireshark 3.2.2.

2.1 Capture traffic

tcpdump -i eth0 -s 0 host 10.186.65.69 and port 3306 -w ./8.0.cap

2.2 Execute the same test SQL

shell> mysql_8.0 -uroot -pxxxx -h10.186.60.73 -P3306
mysql> show databases;
mysql> select * from qinfulang.sbtest1 limit 1;
mysql> exit

Running status shows that the connection uses TLS with the cipher DHE-RSA-AES128-GCM-SHA256 .

2.3 Analyze the capture

Wireshark images illustrate that the payload is encrypted and the SQL statements are not readable.

2.4 TLS Handshake Details

The article explains why MySQL uses TLS rather than SSL and lists the TLS version (TLS v1.2) used by the client. It then walks through each handshake packet (8, 10, 11, … 14), describing the contents such as ClientHello, ServerHello, certificates, key exchange, ChangeCipherSpec, and encrypted handshake messages.

Key observations include the use of the DHE‑RSA‑AES128‑GCM‑SHA256 cipher suite, the exchange of X.509 certificates, and the final establishment of an encrypted session.

Conclusion

MySQL 8.0's encryption plugin balances security and performance; it is recommended to keep it enabled. TLS v1.3 is supported from MySQL 8.0.16 onward. The author notes that attempts to decrypt MySQL 8.0 TLS traffic in Wireshark have failed, and suggests using MySQL 5.7 or disabling SSL for testing purposes.