命令如下
ngrep -x -q -t -d lo '' 'port 13307'
-x 以16进制显示
-q 静默模式,如果没有此开关,未匹配的数据包都以“#”显示
-t 显示包时间戳
-d 设备名称
其中lo为网卡设备,酌情修改,13307为端口,酌情修改
如下为通过ngrep抓取客户端链接mysqld时的网络交互
ashe@ubuntu:~$ sudo ngrep -t -x -q -d lo '' 'port 13307'
interface: lo (127.0.0.0/255.0.0.0)
filter: (ip or ip6) and ( port 13307 )
# 通过三次握手简历连接后,server(mysqld)响应握手包,然后发送当前数据库版本,以及随机字符串给client
T 2019/02/13 15:10:38.624835 127.0.0.1:13307 -> 127.0.0.1:42470 [AP]
54 00 00 00 0a 35 2e 37 2e 31 38 2d 64 65 62 75 T....5.7.18-debu
67 2d 6c 6f 67 00 07 00 00 00 2b 3e 37 79 4e 71 g-log.....+>7yNq
14 14 00 ff f7 2d 02 00 ff 81 15 00 00 00 00 00 .....-..........
00 00 00 00 00 25 53 1f 0b 6c 2b 6b 18 06 67 3e .....%S..l+k..g>
13 00 6d 79 73 71 6c 5f 6e 61 74 69 76 65 5f 70 ..mysql_native_p
61 73 73 77 6f 72 64 00 assword.
# client回复用户名,以及加密口令
T 2019/02/13 15:10:38.624944 127.0.0.1:42470 -> 127.0.0.1:13307 [AP]
b7 00 00 01 05 a6 ff 01 00 00 00 01 21 00 00 00 ............!...
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 61 73 68 65 00 14 98 fd b6 fb 61 e7 ....ashe......a.
67 00 90 9e fa 88 ba b0 25 7c 35 d7 29 94 6d 79 g.......%|5.).my
73 71 6c 5f 6e 61 74 69 76 65 5f 70 61 73 73 77 sql_native_passw
6f 72 64 00 66 03 5f 6f 73 05 4c 69 6e 75 78 0c ord.f._os.Linux.
5f 63 6c 69 65 6e 74 5f 6e 61 6d 65 08 6c 69 62 _client_name.lib
6d 79 73 71 6c 04 5f 70 69 64 05 31 30 39 38 37 mysql._pid.10987
0f 5f 63 6c 69 65 6e 74 5f 76 65 72 73 69 6f 6e ._client_version
06 35 2e 37 2e 31 38 09 5f 70 6c 61 74 66 6f 72 .5.7.18._platfor
6d 06 78 38 36 5f 36 34 0c 70 72 6f 67 72 61 6d m.x86_64.program
5f 6e 61 6d 65 05 6d 79 73 71 6c _name.mysql
# 如果mysqld密码校验通过,则回复 OK_Packet.
T 2019/02/13 15:10:38.625095 127.0.0.1:13307 -> 127.0.0.1:42470 [AP]
07 00 00 02 00 00 00 02 00 00 00 ...........
# 一般mysql客户端会自动发送select @@version查询请求。
T 2019/02/13 15:10:38.625224 127.0.0.1:42470 -> 127.0.0.1:13307 [AP]
21 00 00 00 03 73 65 6c 65 63 74 20 40 40 76 65 !....select @@ve
72 73 69 6f 6e 5f 63 6f 6d 6d 65 6e 74 20 6c 69 rsion_comment li
6d 69 74 20 31 mit 1
# mysqld响应查询请求。
T 2019/02/13 15:10:38.625516 127.0.0.1:13307 -> 127.0.0.1:42470 [AP]
01 00 00 01 01 27 00 00 02 03 64 65 66 00 00 00 .....'....def...
11 40 40 76 65 72 73 69 6f 6e 5f 63 6f 6d 6d 65 .@@version_comme
6e 74 00 0c 21 00 39 00 00 00 fd 00 00 1f 00 00 nt..!.9.........
14 00 00 03 13 53 6f 75 72 63 65 20 64 69 73 74 .....Source dist
72 69 62 75 74 69 6f 6e 07 00 00 04 fe 00 00 02 ribution........
00 00 00 ...