MySQL Sniffer抓包入门
2018-12-30 本文已影响7人
testerzhang
简介
MySQL Sniffer 是一个基于 MySQL 协议的抓包工具,实时抓取 MySQLServer 端或 Client 端请求,并格式化输出。输出内容包括访问时间、访问用户、来源 IP、访问 Database、命令耗时、返回数据行数、执行语句等。有批量抓取多个端口,后台运行,日志分割等多种使用方式,操作便捷,输出友好。
安装依赖包:
官方文档建议使用glib2-devel(2.28.8)、libpcap-devel(1.4.0)、libnet-devel(1.1.6)
本次以CentOS release 6.5 (Final)为例
$ yum install cmake
$ yum install libpcap-devel
$ yum install glib2-devel
$ yum install libnet-devel
下载
github 地址:https://github.com/Qihoo360/mysql-sniffer
$ git clone https://github.com/Qihoo360/mysql-sniffer
编译
$ cd mysql-sniffer
$ mkdir proj
$ cd proj
$ cmake ../
$ make
$ cd bin/
使用
# # ./mysql-sniffer -h
Usage ./mysql-sniffer [-d] -i eth0 -p 3306,3307,3308 -l /var/log/mysql-sniffer/ -e stderr
[-d] -i eth0 -r 3000-4000
-d daemon mode.
-s how often to split the log file(minute, eg. 1440). if less than 0, split log everyday
-i interface. Default to eth0
-p port, default to 3306. Multiple ports should be splited by ','. eg. 3306,3307
this option has no effect when -f is set.
-r port range, Don't use -r and -p at the same time
-l query log DIRECTORY. Make sure that the directory is accessible. Default to stdout.
-e error log FILENAME or 'stderr'. if set to /dev/null, runtime error will not be recorded
-f filename. use pcap file instead capturing the network interface
-w white list. dont capture the port. Multiple ports should be splited by ','.
-t truncation length. truncate long query if it's longer than specified length. Less than 0 means no truncation
-n keeping tcp stream count, if not set, default is 65536. if active tcp count is larger than the specified count, mysql-sniffer will remove the oldest one
示例
- 实时抓取某端口信息并打印到屏幕
输出格式为:时间,访问用户,来源 IP,访问 Database,命令耗时,返回数据行数,执行语句。
# mysql-sniffer -i eth0 -p 3306
- 实时抓取某端口信息并打印到文件
-l 指定日志输出路径,日志文件将以 port.log 命名。
# mysql-sniffer -i eth0 -p 3306 -l /tmp
- 实时抓取多个端口信息并打印到文件
-l 指定日志输出路径,-p 指定需要抓取的端口列表逗号分割。日志文件将以各自 port.log 命名。
# mysql-sniffer -i eth0 -p 3306,3307,3310 -l /tmp
补充说明:
抓包的时候是针对刚建立的链接抓取的报文,如果已经建立起来的链接无法获取执行sql
