Using go‑sniffer to Capture and Analyze MySQL, Redis, and MongoDB Traffic

go‑sniffer is a Go‑based packet sniffer that can capture requests from MySQL, Redis, and MongoDB, parse them into corresponding statements, and output them in a formatted way, similar to the earlier mysql‑sniffer tool but supporting more databases.

Download the source code from GitHub: https://github.com/40t/go-sniffer

1) Install dependency packages:

CentOS: yum -y install libpcap-devel

Ubuntu: apt-get install libpcap-dev

Also install Go (version >= 1.10.3): wget https://golang.org/dl/go1.10.3.linux-amd64.tar.gz

Set up the Go environment variables, or install go‑sniffer on another machine and copy the binary to the target server.

2) Install go‑sniffer:

After Go is installed, run: go get -v -u github.com/40t/go-sniffer

Then copy the binary: cp -rf $(go env GOPATH)/bin/go-sniffer /usr/local/bin

The executable go-sniffer is now available in the configured Go bin directory.

Usage syntax:

$ go-sniffer lo0 mysql

$ go-sniffer en0 redis

$ go-sniffer eth0 http -p 8080

$ go-sniffer eth1 mongodb

Usage scenarios:

Redis – Auditing and hot‑key discovery: Capture traffic on a network interface and port 6379, e.g., go-sniffer eth0 redis -p 6379 >> out.log . The log contains lines like tcp and port 6379 get abc . Analyze the log with awk or import it into a database for statistics, e.g., grep -avEi "^#|^$|^tcp|^ INFO|^ AUTH|^ REPLCONF ACK|^ CONFIG GET" out.txt | awk '{print $1,$2}' | sort | uniq -c | sort -nr | head -n 10 , which yields the most frequently accessed keys.

MySQL – Auditing: Capture MySQL traffic with go-sniffer eth0 mysql -p 3306 >> out.log .

MongoDB – Auditing: Capture MongoDB traffic with go-sniffer eth0 mongodb -p 27017 >> out.log .

Note: go‑sniffer consumes system resources; ensure the server has sufficient capacity before running the tool.