我正在嘗試監視 mysql 資料庫的所有傳入連線。我用過
tcpdump port 3306 and '(tcp-syn|tcp-ack)!=0'
目前正在顯示連接,但有沒有辦法也可以查看它正在發送/接收的內容?
目前我看到:
11:45:43.275498 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-21-17.ec2.internal.35522: Flags [.], ack 1780, win 248, options [nop,nop,TS val 2559781727 ecr 625071366], length 0
11:45:43.277761 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-21-17.ec2.internal.35522: Flags [P.], seq 519:538, ack 1780, win 248, options [nop,nop,TS val 2559781729 ecr 625071366], length 19
11:45:43.277799 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-41-109.ec2.internal.60718: Flags [P.], seq 32662:32900, ack 1, win 219, options [nop,nop,TS val 2559781729 ecr 2559505629], length 238
11:45:43.278331 IP ip-10-0-41-109.ec2.internal.60718 > ip-10-0-40-123.ec2.internal.mysql: Flags [.], ack 32900, win 24565, options [nop,nop,TS val 2559505675 ecr 2559781729], length 0
11:45:43.278345 IP ip-10-0-21-17.ec2.internal.35522 > ip-10-0-40-123.ec2.internal.mysql: Flags [P.], seq 1780:1989, ack 538, win 211, options [nop,nop,TS val 625071368 ecr 2559781729], length 209
11:45:43.280364 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-21-17.ec2.internal.35522: Flags [P.], seq 538:596, ack 1989, win 258, options [nop,nop,TS val 2559781732 ecr 625071368], length 58
11:45:43.280375 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-41-109.ec2.internal.60718: Flags [P.], seq 32900:33171, ack 1, win 219, options [nop,nop,TS val 2559781732 ecr 2559505675], length 271
11:45:43.280971 IP ip-10-0-21-17.ec2.internal.35522 > ip-10-0-40-123.ec2.internal.mysql: Flags [P.], seq 1989:1994, ack 596, win 211, options [nop,nop,TS val 625071371 ecr 2559781732], length 5
11:45:43.280983 IP ip-10-0-21-17.ec2.internal.35522 > ip-10-0-40-123.ec2.internal.mysql: Flags [F.], seq 1994, ack 596, win 211, options [nop,nop,TS val 625071371 ecr 2559781732], length 0
11:45:43.281003 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-21-17.ec2.internal.35522: Flags [F.], seq 596, ack 1995, win 258, options [nop,nop,TS val 2559781733 ecr 625071371], length 0
11:45:43.281011 IP ip-10-0-41-109.ec2.internal.60718 > ip-10-0-40-123.ec2.internal.mysql: Flags [.], ack 33171, win 24565, options [nop,nop,TS val 2559505677 ecr 2559781732], length 0
11:45:43.281553 IP ip-10-0-21-17.ec2.internal.35522 > ip-10-0-40-123.ec2.internal.mysql: Flags [.], ack 597, win 211, options [nop,nop,TS val 625071372 ecr 2559781733], length 0
我希望有這樣的事情:
11:45:43.281011 IP ip-10-0-41-109.ec2.internal.60718 > ip-10-0-40-123.ec2.internal.mysql: Flags [.], ack 33171, win 24565, options [nop,nop,TS val 2559505677 ecr 2559781732], length 0 'select userid from users where email = '[email protected]''
11:45:43.277799 IP ip-10-0-40-123.ec2.internal.mysql > ip-10-0-41-109.ec2.internal.60718: Flags [P.], seq 32662:32900, ack 1, win 219, options [nop,nop,TS val 2559781729 ecr 2559505629], length 238 '1234'
其中最後一個值是資料庫正在處理/傳回的值
答案1
如果我理解正確的話,您想要的是查看通訊中發送的有效負載。
我不知道客戶端和 mySQL 伺服器之間的通訊是否已加密,但如果不是,您可以為 tcdump 命令添加更多參數。
嘗試這樣的事情
tcpdump -vv port 3306 and '(tcp-syn|tcp-ack)!=0' -nnttttA
這應該以 ASCII 形式顯示有效負載