mysql sniffer 安装_MySQL Sniffer

MySQL Sniffer 是360开源的一个基于 MySQL 协议的抓包工具, 能实时抓取客户端端请求，并格式化输出操作语句，操作十分简单。

对于问题的定位，操作的审核是个不错的利器。

安装

# yum install glib2-devel libpcap-devel libnet-devel

# unzip mysql-sniffer-master.zip

# cd mysql-sniffer-master

# cmake .

--Configuring done--Generating done-- Build files have been written to: /root/mysql-sniffer-master

# make

Scanning dependencies of target mysql-sniffer

[16%] Building C object bin/CMakeFiles/mysql-sniffer.dir/main.c.o

[33%] Building C object bin/CMakeFiles/mysql-sniffer.dir/mysql-dissector.c.o/root/mysql-sniffer-master/src/mysql-dissector.c: In function ‘decode_mysql_lenenc_int’:/root/mysql-sniffer-master/src/mysql-dissector.c:112: warning: dereferencing type-punned pointer will break strict-aliasing rules

[50%] Building C object bin/CMakeFiles/mysql-sniffer.dir/util.c.o

[66%] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/session.cpp.o

[83%] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/sniff-config.cpp.o

[100%] Building CXX object bin/CMakeFiles/mysql-sniffer.dir/sniff-log.cpp.o

Linking CXX executable mysql-sniffer

[100%] Built target mysql-sniffer

# cd bin/

# ls

CMakeFiles cmake_install.cmake Makefile mysql-sniffer

参数说明

参数说明也是简明易懂。

# ./mysql-sniffer -help

Usage ./mysql-sniffer [-d] -i eth0 -p 3306,3307,3308 -l /var/log/mysql-sniffer/ -e stderr

[-d] -i eth0 -r 3000-4000

-d daemon mode.-s how often to split the log file(minute, eg. 1440). if less than 0, split log everyday-i interface. Default to eth0-p port, default to 3306. Multiple ports should be splited by ','. eg. 3306,3307

this option has no effect when -f is set.-r port range, Don't use -r and -p at the same time

-l query log DIRECTORY. Make sure that the directory isaccessible. Default to stdout.-e error log FILENAME or 'stderr'. if set to /dev/null, runtime error will not be recorded-f filename. use pcap file instead capturing the network interface

-w white list. dont capture the port. Multiple ports should be splited by ','.-t truncation length. truncate long query if it's longer than specified length. Less than 0 means no truncation

-n keeping tcp stream count, if not set, default is 65536. if active tcp count is larger than the specified count, mysql-sniffer will remove the oldest one

示例

# ./mysql-sniffer -i eth0 -p 3306

其中，倒数第二列是返回数据的行数。

2017-03-08 11:00:08 root 192.168.244.20 NULL 0ms 1 select @@version_comment limit 1

2017-03-08 11:00:08 root 192.168.244.20 NULL 0ms 1 selectUSER()2017-03-08 11:00:10 root 192.168.244.20 NULL 0ms 1 select 1

2017-03-08 11:01:46 root 192.168.244.20 NULL 0ms 1SELECT DATABASE()2017-03-08 11:01:46 root 192.168.244.20 test 24ms 0use test2017-03-08 11:01:46 root 192.168.244.20 test 172ms 14show databases2017-03-08 11:01:46 root 192.168.244.20 test 0ms 20show tables2017-03-08 11:01:52 root 192.168.244.20 test 0ms 20show tables2017-03-08 11:01:57 root 192.168.244.20 test 58ms 9 select * fromtest12017-03-08 11:02:17 root 192.168.244.20 test 0ms 1SELECT DATABASE()2017-03-08 11:02:17 root 192.168.244.20 test 0ms 0 use test

注意

1. 只能抓取新建的链接，如果是之前创建的链接将获取不到用户名和库名，并有一定几率丢包。

2. 如果客户端是在本地，如果走的是tcp连接的话，如mysql -h 192.168.244.10 -uroot -p123456，其中192.168.244.10是本地主机ip，

则只能通过回环地址来捕捉，./mysql-sniffer -i lo -p 3306

参考