我正在尝试监控 mysql 数据库的所有传入连接。我使用过
tcpdump port 3306 and '(tcp-syn|tcp-ack)!=0'
目前显示的是连接,但是有没有办法也看到它正在发送/接收什么?
目前我看到的是:
11:45:43.275498 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-21-17.ec2.internal.35522: Flags [.], ack 1780, win 248, options [nop,nop,TS val 2559781727 ecr 625071366], length 0
11:45:43.277761 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-21-17.ec2.internal.35522: Flags [P.], seq 519:538, ack 1780, win 248, options [nop,nop,TS val 2559781729 ecr 625071366], length 19
11:45:43.277799 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-41-109.ec2.internal.60718: Flags [P.], seq 32662:32900, ack 1, win 219, options [nop,nop,TS val 2559781729 ecr 2559505629], length 238
11:45:43.278331 IP ip-10-0-41-109.ec2.internal.60718 > ip-10-0-40-123.ec2.internal.mysql: Flags [.], ack 32900, win 24565, options [nop,nop,TS val 2559505675 ecr 2559781729], length 0
11:45:43.278345 IP ip-10-0-21-17.ec2.internal.35522 > ip-10-0-40-123.ec2.internal.mysql: Flags [P.], seq 1780:1989, ack 538, win 211, options [nop,nop,TS val 625071368 ecr 2559781729], length 209
11:45:43.280364 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-21-17.ec2.internal.35522: Flags [P.], seq 538:596, ack 1989, win 258, options [nop,nop,TS val 2559781732 ecr 625071368], length 58
11:45:43.280375 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-41-109.ec2.internal.60718: Flags [P.], seq 32900:33171, ack 1, win 219, options [nop,nop,TS val 2559781732 ecr 2559505675], length 271
11:45:43.280971 IP ip-10-0-21-17.ec2.internal.35522 > ip-10-0-40-123.ec2.internal.mysql: Flags [P.], seq 1989:1994, ack 596, win 211, options [nop,nop,TS val 625071371 ecr 2559781732], length 5
11:45:43.280983 IP ip-10-0-21-17.ec2.internal.35522 > ip-10-0-40-123.ec2.internal.mysql: Flags [F.], seq 1994, ack 596, win 211, options [nop,nop,TS val 625071371 ecr 2559781732], length 0
11:45:43.281003 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-21-17.ec2.internal.35522: Flags [F.], seq 596, ack 1995, win 258, options [nop,nop,TS val 2559781733 ecr 625071371], length 0
11:45:43.281011 IP ip-10-0-41-109.ec2.internal.60718 > ip-10-0-40-123.ec2.internal.mysql: Flags [.], ack 33171, win 24565, options [nop,nop,TS val 2559505677 ecr 2559781732], length 0
11:45:43.281553 IP ip-10-0-21-17.ec2.internal.35522 > ip-10-0-40-123.ec2.internal.mysql: Flags [.], ack 597, win 211, options [nop,nop,TS val 625071372 ecr 2559781733], length 0
我希望的是这样的:
11:45:43.281011 IP ip-10-0-41-109.ec2.internal.60718 > ip-10-0-40-123.ec2.internal.mysql: Flags [.], ack 33171, win 24565, options [nop,nop,TS val 2559505677 ecr 2559781732], length 0 'select userid from users where email = '[email protected]''
11:45:43.277799 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-41-109.ec2.internal.60718: Flags [P.], seq 32662:32900, ack 1, win 219, options [nop,nop,TS val 2559781729 ecr 2559505629], length 238 '1234'
最后的值是数据库正在处理/返回的值
答案1
如果我理解正确的话,您想要的是查看通信中发送的有效载荷。
我不知道客户端和 mySQL 服务器之间的通信是否加密,但如果没有,您可以向 tcdump 命令添加更多参数。
尝试这样的方法
tcpdump -vv port 3306 and '(tcp-syn|tcp-ack)!=0' -nnttttA
这应该以 ASCII 格式显示有效载荷