mysqlsniff.pl: MySQL query sniffer
0.10
mysqlsniff.pl [interface]
interface is optional, defaulting to the interface returned by Net::Pcap::lookupdev()
mysqlsniff.pl is a query sniffer for mysql. It sniffs the network with pcap, extracts queries from mysql packets, and prints them on standard output.
see: http://www.redferni.uklinux.net/mysql/MySQL-Protocol.html
COM_QUERY packets look like this:
0f 00 00 00
03
"show databases"
The first three bytes are length, the fourth is the packet number for this transaction. I'm ignoring the packet number and only looking at the length, to make sure it's nonzero before continuing.
The fifth byte is the command type. QUERY is 03. (A complete list can be found in mysql header files).
The rest (in the case of QUERY packets) is the query string.
Ian Kilgore <ian AT icontact.com>
Copyright 2007 iContact, all rights reserved.
This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.