Intercepting arbitrary network traffic with socat

Leave a reply

Socat can be used to intercept view and then forward arbitrary network traffic.

Viewing MySQL protocol

Run this in one terminal:

$ socat -v TCP-LISTEN:3307 TCP:localhost:3306

This will cause socat to listen to port 3307 and forward traffic to localhost port 3306, where you presumably have a MySQL running.

Now you can connect to MySQL via.

$ mysql -u root -h 127.0.0.1 -P 3307 -p

This will cause the MySQL client to connect to the socat listener, which in turn will forward traffic to your MySQL instance and print the data, in this case some of the data are unprintable binary bytes so they are represented as periods but the parts of the MySQL protocol which are text can be gleaned. 

...
\f....show tables< 2018/06/04 23:02:24.011748  length=117 from=463 to=579
.....W....def.information_schema\vTABLE_NAMES\vTABLE_NAMES.Tables_in_database
TABLE_NAME\f!................users\a......"...> 2018/06/04 23:02:24.012169  length=11 from=291 to=301
\a....users.< 2018/06/04 23:02:24.061067  length=61 from=580 to=640
.....def.database.users.users.name.name\f!............\a..........> 2018/06/04 23:02:31.717434  length=24 from=302 to=325
.....select * from users< 2018/06/04 23:02:31.767557  length=102 from=641 to=742
.....-....def.database.users.users.name.name\f!................Tom.....Jeff.....Scott\a..\a..."...

Leave a Reply

Your email address will not be published. Required fields are marked *