MySQL Sniffer 是360開源的一個基於 MySQL 協議的抓包工具, 能實時抓取客戶端端請求,並格式化輸出操作語句,操作十分簡單。
對於問題的定位,操作的審核是個不錯的利器。
Github地址:https://github.com/Qihoo360/mysql-sniffer
安裝
# yum install glib2-devel libpcap-devel libnet-devel
# unzip mysql-sniffer-master.zip
# cd mysql-sniffer-master
# cmake .
-- Configuring done -- Generating done -- Build files have been written to: /root/mysql-sniffer-master
# make
Scanning dependencies of target mysql-sniffer [ 16%] Building C object bin/CMakeFiles/mysql-sniffer.dir/main.c.o [ 33%] Building C object bin/CMakeFiles/mysql-sniffer.dir/mysql-dissector.c.o /root/mysql-sniffer-master/src/mysql-dissector.c: In function ‘decode_mysql_lenenc_int’: /root/mysql-sniffer-master/src/mysql-dissector.c:112: warning: dereferencing type-punned pointer will break strict-aliasing rules [ 50%] Building C object bin/CMakeFiles/mysql-sniffer.dir/util.c.o [ 66%] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/session.cpp.o [ 83%] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/sniff-config.cpp.o [100%] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/sniff-log.cpp.o Linking CXX executable mysql-sniffer [100%] Built target mysql-sniffer
# cd bin/
# ls
CMakeFiles cmake_install.cmake Makefile mysql-sniffer
參數說明
參數說明也是簡明易懂。
# ./mysql-sniffer -help Usage ./mysql-sniffer [-d] -i eth0 -p 3306,3307,3308 -l /var/log/mysql-sniffer/ -e stderr [-d] -i eth0 -r 3000-4000 -d daemon mode. -s how often to split the log file(minute, eg. 1440). if less than 0, split log everyday -i interface. Default to eth0 -p port, default to 3306. Multiple ports should be splited by ','. eg. 3306,3307 this option has no effect when -f is set. -r port range, Don't use -r and -p at the same time -l query log DIRECTORY. Make sure that the directory is accessible. Default to stdout. -e error log FILENAME or 'stderr'. if set to /dev/null, runtime error will not be recorded -f filename. use pcap file instead capturing the network interface -w white list. dont capture the port. Multiple ports should be splited by ','. -t truncation length. truncate long query if it's longer than specified length. Less than 0 means no truncation -n keeping tcp stream count, if not set, default is 65536. if active tcp count is larger than the specified count, mysql-sniffer will remove the oldest one
示例
# ./mysql-sniffer -i eth0 -p 3306
其中,倒數第二列是返回數據的行數。
2017-03-08 11:00:08 root 192.168.244.20 NULL 0ms 1 select @@version_comment limit 1 2017-03-08 11:00:08 root 192.168.244.20 NULL 0ms 1 select USER() 2017-03-08 11:00:10 root 192.168.244.20 NULL 0ms 1 select 1 2017-03-08 11:01:46 root 192.168.244.20 NULL 0ms 1 SELECT DATABASE() 2017-03-08 11:01:46 root 192.168.244.20 test 24ms 0 use test 2017-03-08 11:01:46 root 192.168.244.20 test 172ms 14 show databases 2017-03-08 11:01:46 root 192.168.244.20 test 0ms 20 show tables 2017-03-08 11:01:52 root 192.168.244.20 test 0ms 20 show tables 2017-03-08 11:01:57 root 192.168.244.20 test 58ms 9 select * from test1 2017-03-08 11:02:17 root 192.168.244.20 test 0ms 1 SELECT DATABASE() 2017-03-08 11:02:17 root 192.168.244.20 test 0ms 0 use test
注意
1. 只能抓取新建的鏈接,如果是之前創建的鏈接將獲取不到用戶名和庫名,並有一定幾率丟包。
2. 如果客戶端是在本地,如果走的是tcp連接的話,如mysql -h 192.168.244.10 -uroot -p123456,其中192.168.244.10是本地主機ip,
則只能通過回環地址來捕捉,./mysql-sniffer -i lo -p 3306
參考
https://github.com/Qihoo360/mysql-sniffer/blob/master/README_CN.md