From 099e4ab74e787cfd338ac3e60a5a595aa0dbe45c Mon Sep 17 00:00:00 2001
From: yuanchao <yuanchao@yunshan.net>
Date: Fri, 13 Oct 2023 19:55:58 +0800
Subject: [PATCH] [Agent] Fix mongo log request resource is null #22509

---
 .../test/flow_generator/mongo/mongo.pcap      | Bin 0 -> 15158 bytes
 .../test/flow_generator/mongo/mongo.result    |  30 ++++
 .../flow_generator/protocol_logs/sql/mongo.rs | 144 +++++++++++++++---
 3 files changed, 154 insertions(+), 20 deletions(-)
 create mode 100644 agent/resources/test/flow_generator/mongo/mongo.pcap
 create mode 100644 agent/resources/test/flow_generator/mongo/mongo.result

diff --git a/agent/resources/test/flow_generator/mongo/mongo.pcap b/agent/resources/test/flow_generator/mongo/mongo.pcap
new file mode 100644
index 0000000000000000000000000000000000000000..d5be4b29127d9e970350c0a89c580760a3e516ff
GIT binary patch
literal 15158
zcmeHO3ve98neKfU8?YT2Oe|wUO@wnYwpQ9*JuC~$_G-0j$(D9)?MgBRBW8DIS7Xi2
ztY>ERFckvHT@tu5PUQgeGByw62bkE#F&N@19?2y~D(A|bO+g|^6;*`GaiJ)ZkSpRN
z_x-)Ak$0sNT#Cz4g+|q@o$j8mzyANfyZ^s?_RLGi9&$1_8^7Glft!yORLHN^yVyE>
zr}W_$R~_rE!RLR@ymb}}F}AX@X$@O*!MQJ7<agYT^mhl|S8m(C^SDMxd!0sE>IKG}
z?it73&RG|A|Mnl^l<#o4W)kvO8j6sCna9r~Ge*c)ts_)IS8hA-z8XIHYoP0UFWDw6
zcxW7X-h4So=wryK<u2BOmMBf&TvvGw=lsPI&N|TFzNL)4wY35q9h`4BArsffR=C(I
zC*!FU(dn&RNr)dVoD{K~y>)0wG2%HAZs9sJGyg@DGKyBcIGK_7J=Hjik21yV6irJu
zxI$cJR!-(r(NYHGK+fuyHA_i~mdv)JdYLJjYRnQ1i`R8#<Yd37DQ1SvMQJS973lQD
z+5#SbeFK}36-QKEl$eKF)2gbpW=^2WXx37eyg}Jq(;L%#;eiI<NMLKISKpRt+*}iG
z@TONdr3AYG5ApiY0dF;z&FY3FOPy%bWV6SLtMipyNmT(==0b;DVm7N1X+_uAmr&8E
zi5Zzw?9{ci-r6F>`eju`P02tv4R(!PsT|+NDz$46iYBT;Fpup-Rg*ADo^{oA)&6=w
z=qB4ik6R;InX~RtwA^r^&99&&2wu^cz_SHIR%OwYh2_;Ns{LN?3Smi5H{`3CQ#6wO
ziX|tloFVfDh8r9D8tRzc=v9DP4?eOg)K>ev)n1R!*Wj&g^j7<-Wp#OVp+0JnHT?+I
zbe??{TYlZ>qhw9t!zGsg_WqqG24J7>EVwssO|Z>YSbaAkzSQhuH^V+D<;UmvSaN1Z
z_Yq=ic2dN0_RhkyHe!enR{~`vxY9+2IE#N9|De2b)R_h2Dj28B(zCj%r$>4UY9Pa!
znKksJY?|#7lPfNLHvCfkhf9Pbqn9N09BFSHuq-1Ex0t#XO>BjbW6E}!${dv4iRZ<%
zOnEIMmTWSnjykEJ*MLS^L@U|P>+k)hgI%cVNl}d}uqXFP&z!%f@dHk<HZ=wqSO=Bq
zIja*^Kv-9zm9nI+X=oLt;OU|qjKp5WkjJ`0TzHG;<z0xpS%xf1QB56T%st5{APG3V
zd@zg;J|A=XCK-?He;nD5P~)IT=FJBUNOGM>x&|rP138C!?BhpoqC;NS)7TNIF*a-r
zWj3`+iH44dzgyp|rQ(Uf!E}|`Y^_^Auy$Z;?S^eZ#q3oFgH}zOe^W!SN9%0V!ad!?
z8!~!Jpt-q9Y4+87y<X<f2dHse@2%$cedX#R`z~HH>MEQ0{5!vRwmdPQhJSDs?E78$
z^}IF05_@6eA+qmN9d5P=-KJDJ|2pPWt|G)gHBE|G&fZPDY$HBEh_8Vv$&jwsF<<cS
z&*O$qp+Oz9s+N;^wk_Xbs+??2C`0Bam?S?|%-QDtKs+w`+d`W<>U&x{LSlC=*4U^w
zW|M8Hts9s1Yz((c#<pxrU2dD%JedJF7Z*>&5AWW+g+%3yxY<kKN~v@zVBa5oj8860
zi>HDgT(y7a)2+9Zv)`3po);CwbUPIAz^y=OMj{c}qUy)ZWRzx=*km>8vBBnabe$U7
zWcZf%YTeex#;w`fny&Z?wNY<v*toniylF*v{kHh_xM*!pHW%4a?9QI&sY|o3b)P?9
zmfF*5ZcmpKYyat1*wdr1rw@|v=DURM?4fQE;vpc?$f8tgPwcMBHQb(#Oo~{}KKS#U
z#fTzMFdg#C7E&8-r?4kpc`_lE>UI69$Xud)ZnK-+g{LS@(CfEG_jA4Wmgx0S=yf0I
zb-{nwdcA`L5d+F9B%*CoZo<uEl=6CY*kb|JfOh_<zy9~97ZS<+*Sp!*P)KQlT(?yQ
zxLp6WM6UawsXv0`2R=+<1<z|QG<63Vo(qXCo8)5LlnwQZmYEsJ849<|QkmVea_w27
zQ@O>>zJ>afCdh1L^Z=KcR3fuKLS}DrnY~dYv%MjptVSYAHk~TmI7jpxy98gb^4HUn
z@2hQWs;l+am&}cS?(+POXkB@Wn|&SCDNT@)RoTL&bh<=JZ>r%_D@jU^Kr96*9V98O
z0m_)~ZquqnrX!J4R7ufNI&SECZ*{4ln!Mf%iP4*2v;{LErBXr7jE){8Myq!e3+mL$
z{X3tjAVFPu+!oX>7}vo?Kv{$Kh?ULAiA>vH!uK&J&6!rLv6c2}WY@~R#$;WxzQJ49
zC`l>5Uu<Yx?w6&c&*w|j*ZJ%HK2h>X^~{~orJRaYd<LF^kEYV<Z|Mf3wb@E$cm{KB
z6$eE#X((AMq@@+CndH1?^zB<s_^u;nJBjCFWJz+?kja^rn41<`_yYmM5J%XTQCQ~X
zohkF>|M}TM%B;l)E|;E_HPcktjks|dIZacvG!t+WML{gqA^56c6|yI#WKF^66T)&r
z@Oyo=%$d|PSw%&YpQJW(afODoLB-Iu40+Ux(08Y#m=<Kg9a96o^Kx%KkG$3*Z#9`@
zez2<1vsO)poNXy#>AH$ALD6akYikntmrf>|1bhff)&_%D3yszF)qqPTQ>vIYS<b<j
zCzZ;2;E`B{n6#SpR7&uqG~J_T6w8w`;LLlnx<dY4KHszqC24s?RS`|d1(~8bq9yy$
z1wChaa@vrhNghi~K$U_got6@UCu{YSZzXtop+tO|N?JpcnXG8YxJ7F@Z9vn9G*8wL
z)9^u&sc3^}L-J&k{kW42LkEGVf2?}WlqC=M4?PqNNOFoE;z+zGmD9Knn9m$H29G2s
zRng$CSMd`NfoXXLMMEL(MPP}X<uT>b!i)kRR7-mj5FGV2Wm;l#0A0{2w9pL?L<Ozn
z#YU=z8{)~xnPesl4Ga%|0_81R2IVbVR-(M&;k@=DP`;;Ehjmlz2YJAdtQ=w}E{Kdc
zl8_--MN=#VqTDV+0V$LILkNZ8g;61Zr_`KWw#>JjIaNg)$b<iez{eG*R(ZBpK}CYc
zkVX*VDM_?~OsL-yRnL%U&?uQw3eby3m73GKN|r#+LS1>wAWcvP9}pg8th`?|`@wER
zm7CLAE?<XO$is4y3%l?bweBg&++Kz7&(Oyn(hUW(MWMc|k%~Q<Jmirq8V62<*=gD8
zn=r%*`G`Adnt^mE+DvA%us6&-CX+FMVu5g|JreKhj)nU0zpFhGYY)Z*udpH573zz{
z1M&8t5NQpybgvcqHbpmtB7L!FcULeZEcbeazO|9=vHQMov@6~ozIN>1FSJCXv3Os+
ztt%90?du73#oD70p}sg9?Z*0A1MyJ2y)#rOid`FvhdTQr(Z1HuhOST$rLBdc&Op44
z3Ob^ZwSBG8?v{>FAI}SSM}l$S#|jlgkpPtiVzE$H95~?L*A|Gtx$P>{=!mW*q*xnh
zQ%PSW&>0$goC--K5%j+Ya=12zobw*+ZI8D_yY0@weeMzhEwK&~LJ-Y%w6BeXTKfXQ
zU?>LnrYxaYCSQhTNpd2WM$Y6>rrX5WLx`DQ9!%B&#UXB^B`Tq$(~3+X8->7<JgDWc
zGvV~JdAOCc{c=V&L^Z4%aoMz(vz9L;LkJV4xRRy-x5!C){H9m4wAjjDpVFNT(qemV
zZt?Q}OobZ$Vec(vj!Un@B6;5Ozl#u`xWmo92TGJCI1~?6wi4o>_D+ge?zr^H=WN8o
za42?VfWp^Q{I{2H+PZVX<U8~<E5mmTC(Iq$-oiL$F4a^d9#GG~f2!d=8ExJ1;#;jd
z5ASI>^u&F4A7rK8$L2X#yh8L7JKby;UKOQM@58lq^l_peEZM#IVK2Ooo#cI7e%kgv
z?uYkr7~6_0fcB{iHvKOlv&_;l^<b+<Hfi&~k~Qwixv@pS-g9!LJ1{(Ns<0}WZmL);
z!564#s_=XLwH}|><86%lyiNYbCZDf*h1b8#+X&~W;;U5^CMxw-R0%>w65oPRjOb_w
zzgMJ+Ccoe3_o5J`)-cLxb`>>A#hNW^6;%}(GmYFplJ-dizN+e~pqPTDTS9)?k%SbM
zGHmt<U?e86K~*hu(dq~oVTg7?1Tp`(rSmGh08l9<oy#v=1entd7%8pAvV?YN8mnl!
zuA)Sb6<fYa=Kc<3_o>TadE>{*p#~mV%>ds>tI1?);9_VdE&7_(*PlzvSq#&fF{z+W
zm7+Q%j+m9zLa!{CxpW#m6tM7O;Y<sPB|spRnvC_X@?(1JXaD|x(c?znr_y6A9+;p=
ziJw-7izlY8yT2Q!ad_%3H#-42P?|7}9H<QOY2==gX=JAw{_&1m${kB@{HZ;SJc()K
zehVnH2-0Pb!|QP4u=lii8Nw0=EWEJm%d_5F{fVa&8s*r^Lt|I};gxgLi-Eh{Y!Ks^
zQt52s=pTK8dJ)=I9LxN8$NrrsT{N4N|ID6Ec4IbqvJNOMXoGrU_ky;eKEs=z*Z*}l
zKZ_Q*<DrX2NDCj`=VtpLGfER|X;)>K+tPtzTRQ1d!#{ZewzTFjVz|O0cLcVyI|&q8
zkm<6uKu1#f7?%feyb#9p7nsi6m#=UT>D%s~G7LUUq*vcoY&t)A0j85G34<Sm=^UXj
zI0#lm+$KF822Y2<(_!#*7(5*YPlv&u&oKCQ;hjIwV!M9#lwt5%T5Qi<RN^6|)bQz1
zguz=Ph{(_L5FRAN-#_SPk7Kc=G{NWCUD?Kcj*>9=WFE2Hv1QR*8}TT7jt3Q>P}onG
zy?k%LjRRqDFe6bQ8O>skA%FcZ91rp(3$ITckFM?^>No9iv)ABNQkvkj{&e(vL_KtI
zvFCAm6rRUv@;nxL^VC6m4?K^fyMWS)Mu@&m{bppkv28V&Klt(TAiXAM8hqb3zaLDo
zA0lPuNsaAt)W}w{uvuJ9F(tOU5s+asm3<j_*ubVRlkbO2sOi#Vi(LgYCpMO)_AIA^
zcO&SJmC*|$>^2gztMHmYr>G&m<NMmn=qU?_^_y|Z&Aq$%$l+woe#C<{+mW9?*>DxM
zZ&)KeBPBM7RzLd!)yCFrjjAN_?3rt;o}(8=c-gE%5J{&;F2tOcoS}`4P7Z-+LecUs
zs8Do~!UjE?g-wD$7TftaeRpQ5i7V_T^z_(n`k0_-M*$i+|Ag!rEAlug+I7IqZbc!b
z2{vk0wsRZ(rxL3_t%iSY!Y?*2xZ1YSr%2g!90gaIU$&zE2Dg*=#eDaLI+PEW{&~|i
z-zGx;0zzBhqEafgJRJQTAwsLaS!{VfH}~&+c5aE!`!Fo;De`$kXoE=Egr<GoX`gr6
z=biR>r+waOpZD|W^WJl?`j@oWe(lhdKJPkOY|qUsUj3h)tA<~_13vF}TH$LJeBR?&
z{U0X8pFQDb-^F4}X@WoTx0UO;KXGDG#B#@Xr00tf$-TV@i7tEjUXGhjvS(Z3VEm(b
zq>dO~e|XCM*ki;nG*Ikdym|*5j2lY!V;_Noah&#J!yrT~ZHAxm{n*6+<9_VyUn>%6
z;r3&0c0XiBX@Z^XsO;c&@<fT9+@OYEdl7!;W24vGc5(ui_sF$CxfqEqTMKJ&<1pkb
zUbeN?%2v!0t=xEYG;xo=^f>T9pz0`5{n2qZdmdPnN<C6`Z1gFj8WxHT=Cv1LFi&%X
zS&*j+n)_fdCvFDHS|p-tQ<ZTu?w%uV!22RNiDQe9PbY7Mmw1FB#lqVpo<gVS<v2;s
z9}v^G2)(&}86Jt~UFde<t@aRqSwLc}@<nkK_2-$5Gp2fdv6K39&Rrt<r`7N;)?m;-
z7C2*z{#Vo|XL*JE;w7`EI`55eW!^n0B9u8Sj3Mq@L5OtTI~$2ETS9T%eA?%|7rwdW
z0-|3wfA&=8y~l}uFkP(RU#!``^SQ;O;PLa`p(WkF-M50yd)vU4x?t0vKJT4A@15d=
z`}2L?tNojI1&zZ;E}K2o#1!Qdle2gld2X>9eti%V)2T)HiAdfX+1E60{?HOayy5cM
zQ+XpB_{4N{Qp9q{DQ53(?7M~#$s3u2M3+6X|3YtMv3C2t#BkA~*;Abkf1enJ`itkD
z*9S58SjFDR&{E7j*N`{T4tB)SX80NRMt<}1U-hRk<I6059dc|zSs7_z+cQ&I-bQYD
zti(<%HT=dQSl*e1_Iu*{B-qK)89>~%YYuxDTA(z+zqzxri(B5FNfFB(XWsUW+452R
z=5J`}jX=S6Fu!cQk{98|4q)N8L?)w+HkbEfUV57F*3+Y}Jl9N&58gM2sX(AK!Ogj0
z^aL>um%OL&#vxeZ8M4F$FXb7}oBs{`3hZe2QlP9uBGxuzdQGiJ{%?Q#If2@K|Nc2s
zjr<sw)<-4MIs^HiA^Edk+0yEv_6f1}fhiH=9Pz&<MVtr3!mIY^iH&&Ko+8B3U&%eq
z<#Qhp&-;Do8)qP&v$xEHeD1a7gWt3r?IDhyy+w$nza#199M6?-Jd0kR<-Pu;-D~_V
I=^LT{22Us!h5!Hn

literal 0
HcmV?d00001

diff --git a/agent/resources/test/flow_generator/mongo/mongo.result b/agent/resources/test/flow_generator/mongo/mongo.result
new file mode 100644
index 00000000000..68f6c87fc1d
--- /dev/null
+++ b/agent/resources/test/flow_generator/mongo/mongo.result
@@ -0,0 +1,30 @@
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 0, response_id: 0, op_code: 2004, op_code_name: "OP_QUERY", request: "{ \"isMaster\": 1, \"speculativeAuthenticate\": { \"saslStart\": 1, \"mechanism\": \"SCRAM-SHA-256\", \"payload\": Binary(0x0, biwsbj1hZG1pbixyPW5mdGVQaVovV1NuMUZrNjF5QWpFV29xbThaL0Y2MGc5), \"db\": \"admin\" }, \"saslSupportedMechs\": \"admin.admin\", \"client\": { \"application\": { \"name\": \"MongoDB Shell\" }, \"driver\": { \"name\": \"MongoDB Internal Client\", \"version\": \"4.4.25\" }, \"os\": { \"type\": \"Linux\", \"name\": \"CentOS Linux release 7.9.2009 (Core)\", \"architecture\": \"x86_64\", \"version\": \"Kernel 3.10.0-1160.80.1.el7.x86_64\" } } }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 0, response_id: 60, op_code: 1, op_code_name: "OP_REPLY", request: "", response: "{ \"ismaster\": true, \"topologyVersion\": { \"processId\": ObjectId(\"652213ba46c335fa2820b0dc\"), \"counter\": 0 }, \"maxBsonObjectSize\": 16777216, \"maxMessageSizeBytes\": 48000000, \"maxWriteBatchSize\": 100000, \"localTime\": DateTime(\"2023-10-08 2:46:22.212 +00:00:00\"), \"logicalSessionTimeoutMinutes\": 30, \"connectionId\": 3, \"minWireVersion\": 0, \"maxWireVersion\": 9, \"readOnly\": false, \"saslSupportedMechs\": [\"SCRAM-SHA-1\", \"SCRAM-SHA-256\"], \"speculativeAuthenticate\": { \"conversationId\": 1, \"done\": false, \"payload\": Binary(0x0, cj1uZnRlUGlaL1dTbjFGazYxeUFqRVdvcW04Wi9GNjBnOWJMZUpWOExOL3JQUUVtWERkYjZMTjJVb1puZlRidnZnLHM9dEpLa0drajNQcUNpc1dsdkN0L0gyWDZDVm5NOG5GVlV4UG1vQkE9PSxpPTE1MDAw) }, \"ok\": 1 }", response_code: 0, exception: "", rrt: 1053 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 1, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"saslContinue\": 1, \"payload\": Binary(0x0, Yz1iaXdzLHI9bmZ0ZVBpWi9XU24xRms2MXlBakVXb3FtOFovRjYwZzliTGVKVjhMTi9yUFFFbVhEZGI2TE4yVW9abmZUYnZ2ZyxwPWhBVFRhMkhFWEw1VkRMRWFVdVM4OG84cGNIZmpRK1ZRRklkcnFwQjR1cXM9), \"conversationId\": 1, \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 1, response_id: 61, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"conversationId\": 1, \"done\": false, \"payload\": Binary(0x0, dj1nT0psRVhyMTdXblV0UThqcDMvUlQ5bDhvRDZRN01GWDlGS3FUelRhdHpjPQ==), \"ok\": 1 }", response_code: 0, exception: "", rrt: 325 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 2, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"saslContinue\": 1, \"payload\": Binary(0x0, ), \"conversationId\": 1, \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 2, response_id: 62, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"conversationId\": 1, \"done\": true, \"payload\": Binary(0x0, ), \"ok\": 1 }", response_code: 0, exception: "", rrt: 338 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 3, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"whatsmyuri\": 1, \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 3, response_id: 63, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"you\": \"10.50.1.138:43250\", \"ok\": 1 }", response_code: 0, exception: "", rrt: 128 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 4, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"buildinfo\": 1, \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 4, response_id: 64, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{}", response_code: 0, exception: "", rrt: 196 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 5, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"getLog\": \"startupWarnings\", \"lsid\": { \"id\": Binary(0x4, uU9EjcLlRI+tnzaqrJqWqQ==) }, \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 5, response_id: 65, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"totalLinesWritten\": 3, \"log\": [\"{\"t\":{\"$date\":\"2023-10-08T10:28:11.902+08:00\"},\"s\":\"W\",  \"c\":\"CONTROL\",  \"id\":22120,   \"ctx\":\"initandlisten\",\"msg\":\"Access control is not enabled for the database. Read and write access to data and configuration is unrestricted\",\"tags\":[\"startupWarnings\"]}\", \"{\"t\":{\"$date\":\"2023-10-08T10:28:11.902+08:00\"},\"s\":\"W\",  \"c\":\"CONTROL\",  \"id\":22178,   \"ctx\":\"initandlisten\",\"msg\":\"/sys/kernel/mm/transparent_hugepage/enabled is 'always'. We suggest setting it to 'never'\",\"tags\":[\"startupWarnings\"]}\", \"{\"t\":{\"$date\":\"2023-10-08T10:28:11.902+08:00\"},\"s\":\"W\",  \"c\":\"CONTROL\",  \"id\":22181,   \"ctx\":\"initandlisten\",\"msg\":\"/sys/kernel/mm/transparent_hugepage/defrag is 'always'. We suggest setting it to 'never'\",\"tags\":[\"startupWarnings\"]}\"], \"ok\": 1 }", response_code: 0, exception: "", rrt: 182 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 6, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"isMaster\": 1, \"forShell\": 1, \"lsid\": { \"id\": Binary(0x4, uU9EjcLlRI+tnzaqrJqWqQ==) }, \"$db\": \"test\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 6, response_id: 66, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"ismaster\": true, \"topologyVersion\": { \"processId\": ObjectId(\"652213ba46c335fa2820b0dc\"), \"counter\": 0 }, \"maxBsonObjectSize\": 16777216, \"maxMessageSizeBytes\": 48000000, \"maxWriteBatchSize\": 100000, \"localTime\": DateTime(\"2023-10-08 2:46:22.3 +00:00:00\"), \"logicalSessionTimeoutMinutes\": 30, \"connectionId\": 3, \"minWireVersion\": 0, \"maxWireVersion\": 9, \"readOnly\": false, \"ok\": 1 }", response_code: 0, exception: "", rrt: 174 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 7, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"buildInfo\": 1, \"lsid\": { \"id\": Binary(0x4, uU9EjcLlRI+tnzaqrJqWqQ==) }, \"$db\": \"test\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 7, response_id: 67, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{}", response_code: 0, exception: "", rrt: 139 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 8, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"getCmdLineOpts\": 1, \"lsid\": { \"id\": Binary(0x4, uU9EjcLlRI+tnzaqrJqWqQ==) }, \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 8, response_id: 68, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"argv\": [\"/usr/bin/mongod\", \"-f\", \"/etc/mongod.conf\"], \"parsed\": { \"config\": \"/etc/mongod.conf\", \"net\": { \"bindIp\": \"0.0.0.0\", \"port\": 27017 }, \"processManagement\": { \"timeZoneInfo\": \"/usr/share/zoneinfo\" }, \"storage\": { \"dbPath\": \"/var/lib/mongo\", \"journal\": { \"enabled\": true } }, \"systemLog\": { \"destination\": \"file\", \"logAppend\": true, \"path\": \"/var/log/mongodb/mongod.log\" } }, \"ok\": 1 }", response_code: 0, exception: "", rrt: 135 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 9, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"buildInfo\": 1, \"$db\": \"test\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 9, response_id: 69, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{}", response_code: 0, exception: "", rrt: 207 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 10, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"isMaster\": 1, \"forShell\": 1, \"$db\": \"test\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 10, response_id: 70, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"ismaster\": true, \"topologyVersion\": { \"processId\": ObjectId(\"652213ba46c335fa2820b0dc\"), \"counter\": 0 }, \"maxBsonObjectSize\": 16777216, \"maxMessageSizeBytes\": 48000000, \"maxWriteBatchSize\": 100000, \"localTime\": DateTime(\"2023-10-08 2:46:22.306 +00:00:00\"), \"logicalSessionTimeoutMinutes\": 30, \"connectionId\": 3, \"minWireVersion\": 0, \"maxWireVersion\": 9, \"readOnly\": false, \"ok\": 1 }", response_code: 0, exception: "", rrt: 143 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 11, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"replSetGetStatus\": 1, \"forShell\": 1, \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 11, response_id: 71, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "", response_code: 76, exception: "not running with --replSet", rrt: 571 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 12, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"getLog\": \"startupWarnings\", \"lsid\": { \"id\": Binary(0x4, uU9EjcLlRI+tnzaqrJqWqQ==) }, \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 12, response_id: 72, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"totalLinesWritten\": 3, \"log\": [\"{\"t\":{\"$date\":\"2023-10-08T10:28:11.902+08:00\"},\"s\":\"W\",  \"c\":\"CONTROL\",  \"id\":22120,   \"ctx\":\"initandlisten\",\"msg\":\"Access control is not enabled for the database. Read and write access to data and configuration is unrestricted\",\"tags\":[\"startupWarnings\"]}\", \"{\"t\":{\"$date\":\"2023-10-08T10:28:11.902+08:00\"},\"s\":\"W\",  \"c\":\"CONTROL\",  \"id\":22178,   \"ctx\":\"initandlisten\",\"msg\":\"/sys/kernel/mm/transparent_hugepage/enabled is 'always'. We suggest setting it to 'never'\",\"tags\":[\"startupWarnings\"]}\", \"{\"t\":{\"$date\":\"2023-10-08T10:28:11.902+08:00\"},\"s\":\"W\",  \"c\":\"CONTROL\",  \"id\":22181,   \"ctx\":\"initandlisten\",\"msg\":\"/sys/kernel/mm/transparent_hugepage/defrag is 'always'. We suggest setting it to 'never'\",\"tags\":[\"startupWarnings\"]}\"], \"ok\": 1 }", response_code: 0, exception: "", rrt: 334 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 13, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"isMaster\": 1, \"forShell\": 1, \"$db\": \"test\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 13, response_id: 73, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"ismaster\": true, \"topologyVersion\": { \"processId\": ObjectId(\"652213ba46c335fa2820b0dc\"), \"counter\": 0 }, \"maxBsonObjectSize\": 16777216, \"maxMessageSizeBytes\": 48000000, \"maxWriteBatchSize\": 100000, \"localTime\": DateTime(\"2023-10-08 2:46:26.793 +00:00:00\"), \"logicalSessionTimeoutMinutes\": 30, \"connectionId\": 3, \"minWireVersion\": 0, \"maxWireVersion\": 9, \"readOnly\": false, \"ok\": 1 }", response_code: 0, exception: "", rrt: 189 } is_mongo: false
+MongoDBInfo { msg_type: Request, is_tls: false, req_len: 0, resp_len: 0, request_id: 14, response_id: 0, op_code: 2013, op_code_name: "OP_MSG", request: "{ \"endSessions\": [{ \"id\": Binary(0x4, uU9EjcLlRI+tnzaqrJqWqQ==) }], \"$db\": \"admin\" }", response: "", response_code: 0, exception: "", rrt: 0 } is_mongo: true
+MongoDBInfo { msg_type: Response, is_tls: false, req_len: 0, resp_len: 0, request_id: 14, response_id: 74, op_code: 2013, op_code_name: "OP_MSG", request: "", response: "{ \"ok\": 1 }", response_code: 0, exception: "", rrt: 786 } is_mongo: false
diff --git a/agent/src/flow_generator/protocol_logs/sql/mongo.rs b/agent/src/flow_generator/protocol_logs/sql/mongo.rs
index 0c6a76da795..16f035a3c65 100644
--- a/agent/src/flow_generator/protocol_logs/sql/mongo.rs
+++ b/agent/src/flow_generator/protocol_logs/sql/mongo.rs
@@ -220,11 +220,14 @@ const _OP_COMMAND: u32 = 2010;
 const _OP_COMMANDREPLY: u32 = 2011;
 const _OP_COMPRESSED: u32 = 2012;
 const _OP_MSG: u32 = 2013;
-const _UNKNOWN: &str = "Unknown";
+const _UNKNOWN: &str = "";
 
 const _HEADER_SIZE: usize = 16;
 
 const _EXCEPTION_OFFSET: usize = 20;
+const _COLLECTION_NAME_OFFSET: usize = 20;
+const _QUERY_DOC_OFFSET: usize = _COLLECTION_NAME_OFFSET + 8; // 8 is sizeof(Number to skip + Number to Reture)
+const _MSG_DOC_SECTION_OFFSET: usize = _HEADER_SIZE + 4; // 4 is sizeof(Message Flags)
 
 impl MongoDBLog {
     // TODO: tracing
@@ -264,16 +267,25 @@ impl MongoDBLog {
 
         // command decode
         match info.op_code {
-            _OP_MSG if payload.len() > _HEADER_SIZE => {
+            _OP_MSG if payload.len() > _MSG_DOC_SECTION_OFFSET => {
                 // OP_MSG
                 let mut msg_body = MongoOpMsg::default();
-                msg_body.decode(&payload[_HEADER_SIZE..])?;
+                // TODO: Message Flags
+                msg_body.decode(&payload[_MSG_DOC_SECTION_OFFSET..])?;
                 match info.msg_type {
                     LogMessageType::Response => {
-                        info.response = msg_body.sections.doc.to_string();
-                        info.exception = msg_body.sections.c_string.unwrap_or(_UNKNOWN.to_string());
-                        info.response_code =
-                            msg_body.sections.doc.get_f64("code").unwrap_or(0.0) as i32;
+                        // The data structure of doc is Bson, which is a normal response when there is no errmsg in it
+                        if msg_body.sections.doc.get_str("errmsg").is_err() {
+                            info.response = msg_body.sections.doc.to_string();
+                        } else {
+                            info.exception =
+                                msg_body.sections.doc.get_str("errmsg").unwrap().to_string();
+                        }
+                        if info.exception.len() == 0 {
+                            info.exception =
+                                msg_body.sections.c_string.unwrap_or(_UNKNOWN.to_string());
+                        }
+                        info.response_code = msg_body.sections.doc.get_i32("code").unwrap_or(0);
                         if info.response_code > 0 {
                             self.perf_stats.as_mut().map(|p| p.inc_resp_err());
                         }
@@ -315,13 +327,16 @@ impl MongoDBLog {
             }
             _OP_QUERY if payload.len() > 28 => {
                 // "OP_QUERY"
-                info.exception = CStr::from_bytes_until_nul(&payload[..20])
-                    .map_err(|_| Error::L7ProtocolUnknown)?
-                    .to_string_lossy()
-                    .into_owned();
+                let collection_name =
+                    CStr::from_bytes_until_nul(&payload[_COLLECTION_NAME_OFFSET..])
+                        .map_err(|_| Error::L7ProtocolUnknown)?
+                        .to_string_lossy()
+                        .into_owned();
 
-                let query = Document::from_reader(&payload[28 + info.exception.len() + 1..])
-                    .unwrap_or(Document::default());
+                let query = Document::from_reader(
+                    &payload[_QUERY_DOC_OFFSET + collection_name.len() + 1..],
+                )
+                .unwrap_or(Document::default());
                 info.request = query.to_string();
             }
             _OP_GET_MORE | _OP_DELETE if payload.len() > 20 => {
@@ -415,18 +430,24 @@ pub struct MongoOpMsg {
 }
 
 impl MongoOpMsg {
+    const _KIND_OFFSET: usize = 0;
+    const _KIND_LEN: usize = 1;
+    const _DOC_LENGTH_OFFSET: usize = Self::_KIND_OFFSET + Self::_KIND_LEN;
+    const _DOC_LENGTH_LEN: usize = 4;
+
     fn decode(&mut self, payload: &[u8]) -> Result<bool> {
-        if payload.len() < 9 {
+        if payload.len() < Self::_DOC_LENGTH_OFFSET + Self::_DOC_LENGTH_LEN {
             return Ok(false);
         }
-        // todo: decode flag
         let mut sections = Sections::default();
         //sections.kind = payload[4];
-        let section_len = bytes::read_u32_le(&payload[5..9]);
-        if payload.len() < 4 + section_len as usize {
+        let section_len = bytes::read_u32_le(
+            &payload[Self::_DOC_LENGTH_OFFSET..Self::_DOC_LENGTH_OFFSET + Self::_DOC_LENGTH_LEN],
+        );
+        if payload.len() < Self::_DOC_LENGTH_LEN + section_len as usize {
             return Ok(false);
         }
-        let _ = sections.decode(&payload[4..]);
+        let _ = sections.decode(&payload);
         self.sections = sections;
         // todo: decode checksum
         Ok(true)
@@ -455,8 +476,9 @@ impl Sections {
             0 => {
                 // Body
                 self.kind_name = "BODY".to_string();
-                let lenght = bytes::read_u32_le(&payload[1..5]);
-                if lenght != payload.len() as u32 - 1 {
+                let length = bytes::read_u32_le(&payload[1..5]);
+                // TODO: When ChecksumPresent is 1, there will be checksum in the payload
+                if length != payload.len() as u32 - 1 && length != payload.len() as u32 - 5 {
                     return Ok(false);
                 }
                 self.doc = Document::from_reader(&payload[1..]).unwrap_or(Document::default());
@@ -567,3 +589,85 @@ pub struct MongoOpUpdate {
     zero: u32,
 }
 */
+
+#[cfg(test)]
+mod tests {
+    use std::path::Path;
+    use std::rc::Rc;
+    use std::{cell::RefCell, fs};
+
+    use super::*;
+
+    use crate::{
+        common::{flow::PacketDirection, l7_protocol_log::L7PerfCache, MetaPacket},
+        flow_generator::L7_RRT_CACHE_CAPACITY,
+        utils::test::Capture,
+    };
+
+    const FILE_DIR: &str = "resources/test/flow_generator/mongo";
+
+    fn run(name: &str) -> String {
+        let capture = Capture::load_pcap(Path::new(FILE_DIR).join(name), None);
+        let log_cache = Rc::new(RefCell::new(L7PerfCache::new(L7_RRT_CACHE_CAPACITY)));
+        let mut packets = capture.as_meta_packets();
+        if packets.is_empty() {
+            return "".to_string();
+        }
+
+        let mut output: String = String::new();
+        let first_dst_port = packets[0].lookup_key.dst_port;
+        for packet in packets.iter_mut() {
+            packet.lookup_key.direction = if packet.lookup_key.dst_port == first_dst_port {
+                PacketDirection::ClientToServer
+            } else {
+                PacketDirection::ServerToClient
+            };
+            let payload = match packet.get_l4_payload() {
+                Some(p) => p,
+                None => continue,
+            };
+
+            let mut mongo = MongoDBLog::default();
+            let param = &ParseParam::new(packet as &MetaPacket, log_cache.clone(), true, true);
+
+            let is_mongo = mongo.check_payload(payload, param);
+            let info = mongo.parse_payload(payload, param);
+            if let Ok(info) = info {
+                match info.unwrap_single() {
+                    L7ProtocolInfo::MongoDBInfo(i) => {
+                        output.push_str(&format!("{:?} is_mongo: {}\r\n", i, is_mongo));
+                    }
+                    _ => unreachable!(),
+                }
+            } else {
+                output.push_str(&format!(
+                    "{:?} is_mongo: {}\r\n",
+                    MongoDBInfo::default(),
+                    is_mongo
+                ));
+            }
+        }
+        output
+    }
+
+    #[test]
+    fn check() {
+        let files = vec![("mongo.pcap", "mongo.result")];
+
+        for item in files.iter() {
+            let expected = fs::read_to_string(&Path::new(FILE_DIR).join(item.1)).unwrap();
+            let output = run(item.0);
+
+            if output != expected {
+                let output_path = Path::new("actual.txt");
+                fs::write(&output_path, &output).unwrap();
+                assert!(
+                    output == expected,
+                    "output different from expected {}, written to {:?}",
+                    item.1,
+                    output_path
+                );
+            }
+        }
+    }
+}