MySQL网络抓包审计
Tcpdump 抓包
#!/bin/bash
#this script used montor mysql network traffic.echo sql
tcpdump -i bond0 -s 0 -l -w - dst port 3366 | strings | perl -e '
while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER|CALL)/i)
{
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+//; $q.=" $_";
}
}'
1
2
3
4
5
6
7
8
9
10
11
12
2
3
4
5
6
7
8
9
10
11
12
vc-mysql-sniffer抓包
yum install cmake
yum install libpcap-devel
yum install glib2-devel
yum install libnet-devel
1
2
3
4
2
3
4
git clone https://github.com/Qihoo360/mysql-sniffer.git
cd mysql-sniffer
mkdir proj
cd proj
cmake ../
make
在bin目录下面生成了:
mysql-sniffer
1
2
3
4
5
6
7
8
2
3
4
5
6
7
8
$ sudo ./vc-mysql-sniffer --help
vc-mysql-sniffer is a utility from VividCortex to monitor query activity and write results to a file.
See --license for the terms governing your usage of this program.
-binding="[::]:3306" This is a list of comma separated bind strings as seen in /proc/net/tcp
-help="false" Show this usage message
-help-json="false" Show this usage message as JSON
-license="false" Print the usage terms of this program
-output="" Filepath to output queries to. Defaults to stdout if none specified.
-show-database="false" Include a 'USE `database`' for every statement. Supersedes show-database-changes.
-show-database-changes="true"
Include a 'USE `database`' every time the database is changed.
-verbose="false" Enable logging on program startup to stderr
-version="false" Show version and exit
Flag Current value
--------------------------------------------
-binding "[::]:3306"
-help "true"
-help-json "false"
-license "false"
-output ""
-show-database "false"
-show-database-changes "true"
-verbose "false"
-version "false"
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
上次更新: 4/24/2025