MySQL Sniffer 是360开源的一个基于 MySQL 协议的抓包工具, 能实时抓取客户端端请求,并格式化输出操作语句,操作十分简单。
对于问题的定位,操作的审核是个不错的利器。
Github地址:https://github.com/Qihoo360/mysql-sniffer
安装
# yum install glib2-devel libpcap-devel libnet-devel
# unzip mysql-sniffer-master.zip
# cd mysql-sniffer-master
# cmake .
-- Configuring done
-- Generating done
-- Build files have been written to: /root/mysql-sniffer-master
# make
Scanning dependencies of target mysql-sniffer
[ %] Building C object bin/CMakeFiles/mysql-sniffer.dir/main.c.o
[ %] Building C object bin/CMakeFiles/mysql-sniffer.dir/mysql-dissector.c.o
/root/mysql-sniffer-master/src/mysql-dissector.c: In function ‘decode_mysql_lenenc_int’:
/root/mysql-sniffer-master/src/mysql-dissector.c:: warning: dereferencing type-punned pointer will break strict-aliasing rules
[ %] Building C object bin/CMakeFiles/mysql-sniffer.dir/util.c.o
[ %] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/session.cpp.o
[ %] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/sniff-config.cpp.o
[%] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/sniff-log.cpp.o
Linking CXX executable mysql-sniffer
[%] Built target mysql-sniffer
# cd bin/
# ls
CMakeFiles cmake_install.cmake Makefile mysql-sniffer
参数说明
参数说明也是简明易懂。
# ./mysql-sniffer -help
Usage ./mysql-sniffer [-d] -i eth0 -p ,, -l /var/log/mysql-sniffer/ -e stderr
[-d] -i eth0 -r -
-d daemon mode.
-s how often to split the log file(minute, eg. ). if less than , split log everyday
-i interface. Default to eth0
-p port, default to . Multiple ports should be splited by ','. eg. ,
this option has no effect when -f is set.
-r port range, Don't use -r and -p at the same time
-l query log DIRECTORY. Make sure that the directory is accessible. Default to stdout.
-e error log FILENAME or 'stderr'. if set to /dev/null, runtime error will not be recorded
-f filename. use pcap file instead capturing the network interface
-w white list. dont capture the port. Multiple ports should be splited by ','.
-t truncation length. truncate long query if it's longer than specified length. Less than 0 means no truncation
-n keeping tcp stream count, if not set, default is . if active tcp count is larger than the specified count, mysql-sniffer will remove the oldest one
示例
# ./mysql-sniffer -i eth0 -p 3306
其中,倒数第二列是返回数据的行数。
-- :: root 192.168.244.20 NULL 0ms select @@version_comment limit
-- :: root 192.168.244.20 NULL 0ms select USER()
-- :: root 192.168.244.20 NULL 0ms select
-- :: root 192.168.244.20 NULL 0ms SELECT DATABASE()
-- :: root 192.168.244.20 test 24ms use test
-- :: root 192.168.244.20 test 172ms show databases
-- :: root 192.168.244.20 test 0ms show tables
-- :: root 192.168.244.20 test 0ms show tables
-- :: root 192.168.244.20 test 58ms select * from test1
-- :: root 192.168.244.20 test 0ms SELECT DATABASE()
-- :: root 192.168.244.20 test 0ms use test
注意
1. 只能抓取新建的链接,如果是之前创建的链接将获取不到用户名和库名,并有一定几率丢包。
2. 如果客户端是在本地,如果走的是tcp连接的话,如mysql -h 192.168.244.10 -uroot -p123456,其中192.168.244.10是本地主机ip,
则只能通过回环地址来捕捉,./mysql-sniffer -i lo -p 3306
参考
https://github.com/Qihoo360/mysql-sniffer/blob/master/README_CN.md