什么是tcpdump
Tcpdump prints out the headers of packets on a network interface that match the boolean expression.
常用选项
-w可以将结果写入文件,而-r可以从制定文件读取数据
-c 接收指定数量的包后自动退出
-i 监听的网卡
-n 禁止将IP解析为域名
监听类型
Host –默认/Net/ Port
监听传输方向
Src/Dst/Dst or src –默认/Dst and src
监听传输协议
Fddi/Ip/Arp/Rarp/Tcp/Udp
逻辑运算符
取非运算Not或 !
与运算 and 或 &&
或运算 or 或 ||
具体语法
截获主机A和B或C的通信
Tcpdump host A and \(B or C\)
获取主机A除了和B之外所有的通信IP包
Tcpdump ip host A and ! B
获取主机A接收的telnet包
Tcpdump tcp port 23 dst host A
案例
1
通过shell自动捕获长时间运行的事务并用tcpdump跟踪
#!/bin/bash
# Begin by deleting things more than 7 days old
find /root/tcpdumps/ -type f -mtime +7 -exec rm -f '{}' \;
# Bail out if the disk is more than this %full.
PCT_THRESHOLD=95
# Bail out if the disk has less than this many MB free.
MB_THRESHOLD=100
# Make sure the disk isn't getting too full.
avail=$(df -m -P /root/tcpdumps/ | awk '/^\//{print $4}');
full=$(df -m -P /root/tcpdumps/ | awk '/^\//{print $5}' | sed -e 's/%//g');
if [ "${avail}" -le "${MB_THRESHOLD}" -o "${full}" -ge "${PCT_THRESHOLD}" ]; then
echo "Exiting, not enough free space (${full}%, ${avail}MB free)">&2
exit 1
fi
host=$(mysql -ss -e 'SELECT p.HOST FROM information_schema.innodb_lock_waits w INNER JOIN information_schema.innodb_trx b ON b.trx_id = w.blocking_trx_id INNER JOIN information_schema.processlist p on b.trx_mysql_thread_id = p.ID LIMIT 1')
if [ "${host}" ]; then
echo "Host ${host} is blocking"
port=$(echo ${host} | cut -d: -f2)
tcpdump -i eth0 -s 65535 -x -nn -q -tttt port 3306 and port ${port} > /root/tcpdumps/`date +%s`-tcpdump &
mysql -e 'show innodb status\Gshow full processlist' > /root/tcpdumps/`date +%s`-innodbstatus
pid=$!
sleep 30
kill ${pid}
fi
http://www.mysqlperformanceblog.com/2011/03/08/how-to-debug-long-running-transactions-in-mysql/
2
利用tcpdump捕获mysql运行的sql
#!/bin/bash
#this script. used montor mysql network traffic.echo sql
while(<>) { chomp; next if /^[^ ]+[ ]*$/;
if(/^(SELECT|UPDATE|DELETE|INSERT|SET|COMMIT|ROLLBACK|CREATE|DROP|ALTER)/i) {
if (defined $q) { print "$q\n"; }
$q=$_;
} else {
$_ =~ s/^[ \t]+//; $q.=" $_";
}
}'
下面是执行脚本的输出
SELECT b.id FROM module as a,rights as b where a.id=b.module_id and b.sid='179' and a.pname like 'vip/member_order_manage.php%'
SELECT count(id) as cc,sum(cash) as total from morder_stat_all where (ymd BETWEEN '1312214400' and '1312336486') and depart_id=5 an
d order_class=2
select id,name from media where symd='0000-00-00'
select id,name from depart where s_flag=' ' and noff=1 order by sno
select id,name from plank where depart_id=5 and noff=1 order by no
select id,name from grp where plank_id=0 and noff=1 order by no
select id,CONCAT(pname,'-',name) as name from pvc order by pname
select id,CONCAT(no,'-',name) as name from local where pvc_id=0 order by no
select id,name from product_breed
select color_name from product_color where id=5
select id,name from product where id = '0'
可使用来wireshark图形化解析
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/15480802/viewspace-757723/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/15480802/viewspace-757723/