How can I snif MySQL data using WireShark? Also I used «mysqlsniffer» and have no results. There are no any packets from MySQL. I've filtered by «MySQL.isPresent» in WireShark but nothing happened.

MySQL installed on Ubuntu 10.10 from repository. Here is my.conf: http://pastebin.com/jkJU773E

Also I can telnet to MySQL:

halo@desktop:~$ telnet localhost 3306
Trying ::1...
Connected to localhost.
Escape character is '^]'.
^CConnection closed by foreign host.

  • 11,583
  • 4
  • 35
  • 49
  • 347
  • 2
  • 5
  • 13

2 Answers2


By default, on localhost, mysql actually connects over a UNIX socket. Add -h to your mysql line to force communication over TCP.

  • 7,129
  • 2
  • 22
  • 34
  • But how to start mysql daemon with -h? – Clark Apr 15 '11 at 02:52
  • mysqld should be listening on localhost anyway, so you should only need the -h switch on the client as @BMDan said. You can check if mysqld is listening on all interfaces using `netstat -ntlp | grep 3306`. – Eduardo Ivanec Apr 15 '11 at 03:38
  • Tried to comment bind-address, nothing changed. – Clark Apr 15 '11 at 03:51
  • Does your sniffer--either WireShark (set to `port 3306` instead of `MySQL.isPresent`) or the MySQL-specific one--capture anything when you use telnet to port 3306? If yes, then your issue is that your mysql client program is using a socket to communicate. If no, then something else is going on; most likely, that you aren't specifying the correct interface(s) on which to sniif. Please let us know the outcome of this test. – BMDan Apr 15 '11 at 13:40

Are you sure you're sniffing the right interface? If you're connecting locally as in your example you should attach to the loopback interface (lo) instead of eth0 or any other eth*.

I don't know MySQL.isPresent, have you tried filtering tcp port 3306? It should be enough, really.

As an alternative, you can capture the traffic using tcpdump on the commandline and then open the dump file with wireshark:

tcpdump -nli lo port 3306 -s 0 -w mysql.dump
wireshark mysql.dump

Replace lo with eth0, etc. if needed.

Eduardo Ivanec
  • 14,531
  • 1
  • 35
  • 42
  • Yes I am using vurtyal «Any Interfaces option» and tried to use all interfaces. – Clark Apr 15 '11 at 02:50
  • halo@desktop:~$ sudo tcpdump -nli lo port 3306 -s 0 -w mysql.dump [sudo] password for halo: tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535 bytes and thats all :( – Clark Apr 15 '11 at 02:51
  • Yes, tcpdump should keep running while you do the connection testing; then you quit it using CTRL-C and launch wireshark, should have told you that. But @BMDan may be on the right track anyway, you should make sure you're not connecting via a socket on your tests first. – Eduardo Ivanec Apr 15 '11 at 03:39
  • I tried to query mysql, all is ok but no anything logged by tcpdump anyway :( – Clark Apr 15 '11 at 03:50