Skip to content

Instantly share code, notes, and snippets.

@rebx
Created September 29, 2011 06:25
Show Gist options
  • Save rebx/1250106 to your computer and use it in GitHub Desktop.
Save rebx/1250106 to your computer and use it in GitHub Desktop.
tshark'ing mysql
live:
tshark -i eth0 -aduration:60 -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'
capture:
tcpdump -i eth0 port 3306 -s 1500 -w tcpdump.out
tshark -r tcpdump.out -d tcp.port==3306,mysql -T fields -e mysql.query > query_log.out
@zhugw
Copy link

zhugw commented Jul 4, 2016

hi, I used your live way to capture mysql query sql, but nothing output

# terminal 1
tshark -i lo0 -d tcp.port==3306,mysql -T fields -e mysql.query 'port 3306'
Capturing on 'Loopback'

# then in another terminal 2
mysql -h127.0.0.1 -u root -p
select version();
 select now();

#then I found only output some blank line in terminal 1.

Then I tried another tshark command

# terminal 1
tshark -i lo0 -d tcp.port==3306,mysql
Capturing on 'Loopback'

#terminal 2
mysql -h127.0.0.1 -u root -p12345678

#this time in terminal 1 have many output
1   0.000000    127.0.0.1 -> 127.0.0.1    TCP 68 56504 → 3306 [SYN] Seq=0 Win=65535 Len=0 MSS=16344 WS=32 TSval=1064383195 TSecr=0 SACK_PERM=1
  2   0.000052    127.0.0.1 -> 127.0.0.1    TCP 68 3306 → 56504 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=16344 WS=32 TSval=1064383195 TSecr=1064383195 SACK_PERM=1
  3   0.000061    127.0.0.1 -> 127.0.0.1    TCP 56 56504 → 3306 [ACK] Seq=1 Ack=1 Win=408288 Len=0 TSval=1064383195 TSecr=1064383195
  4   0.000072    127.0.0.1 -> 127.0.0.1    TCP 56 [TCP Window Update] 3306 → 56504 [ACK] Seq=1 Ack=1 Win=408288 Len=0 TSval=1064383195 TSecr=1064383195
  5   0.000201    127.0.0.1 -> 127.0.0.1    MySQL 134 Server Greeting proto=10 version=5.7.12
  6   0.000222    127.0.0.1 -> 127.0.0.1    TCP 56 56504 → 3306 [ACK] Seq=1 Ack=79 Win=408192 Len=0 TSval=1064383195 TSecr=1064383195
  7   0.000243    127.0.0.1 -> 127.0.0.1    MySQL 92 Response: SSL Handshake user=
  8   0.000266    127.0.0.1 -> 127.0.0.1    TCP 56 3306 → 56504 [ACK] Seq=79 Ack=37 Win=408256 Len=0 TSval=1064383195 TSecr=1064383195
  9   0.010150    127.0.0.1 -> 127.0.0.1    SSL 301 Client Hello
 10   0.010178    127.0.0.1 -> 127.0.0.1    TCP 56 3306 → 56504 [ACK] Seq=79 Ack=282 Win=408000 Len=0 TSval=1064383205 TSecr=1064383205
 11   0.015998    127.0.0.1 -> 127.0.0.1    TLSv1.2 2486 Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done
 12   0.016029    127.0.0.1 -> 127.0.0.1    TCP 56 56504 → 3306 [ACK] Seq=282 Ack=2509 Win=405792 Len=0 TSval=1064383210 TSecr=1064383210
 13   0.023262    127.0.0.1 -> 127.0.0.1    TLSv1.2 386 Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
 14   0.023279    127.0.0.1 -> 127.0.0.1    TCP 56 3306 → 56504 [ACK] Seq=2509 Ack=612 Win=407680 Len=0 TSval=1064383217 TSecr=1064383217
 15   0.026684    127.0.0.1 -> 127.0.0.1    TLSv1.2 282 New Session Ticket, Change Cipher Spec, Encrypted Handshake Message
 16   0.026731    127.0.0.1 -> 127.0.0.1    TCP 56 56504 → 3306 [ACK] Seq=612 Ack=2735 Win=405536 Len=0 TSval=1064383220 TSecr=1064383220
 17   0.026810    127.0.0.1 -> 127.0.0.1    TLSv1.2 275 Application Data
...

So do you know why the first command cannot have any valid output?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment