Unable to get mysql stats using packet beats

Elastic Stack Beats
1

I can't seem to get packet beat shipper to send mysql stats to ES.

I went through this thread - Unable to get mysql performance in packetbeat

and tried the following steps Unable to get mysql performance in packetbeat

but the file generated trace.pcap is empty when i open with wireshark. I am using mac os x (yosemite) and packetbeat-1.0.0-beta3-darwin.

Also, I logged into mysql using 127.0.0.1 in order to use the port and avoid the socket issue.

Traffic is flowing on the port 3306 as well.
> tcpdump -s0 -w trace.pcap "port 3306"
> tcpdump: data link type PKTAP
> tcpdump: listening on pktap, link-type PKTAP (Packet Tap), capture size 65535 bytes

2

Just to make sure I understand it correctly, when you run:

tcpdump -s0 -w trace.pcap "port 3306"

do you get an empty trace.pcap?

3

Hi @monica,

I get on my terminal screen -

tcpdump: data link type PKTAP
tcpdump: listening on pktap, link-type PKTAP (Packet Tap), capture size 65535 bytes
^C0 packets captured
223 packets received by filter

and yes the file is empty

4

Hi @tarunsapra.

It looks like there is no MySQL traffic coming on port 3306. I suspect your application connects to MySQL via the unix sockets. MySQL needs to listen on 127.0.0.1 instead of localhost in order to force the application not use the socket. How do you start the MySQL client?

5

Hi @monica , in the first comment of this thread I have shared that i connect via IP address to avoid the unix socket thing. "Also, I logged into mysql using 127.0.0.1 in order to use the port and avoid the socket issue."

mysql -h 127.0.0.1 - u root

6

On OSX you need to specify the device when running the tcpdump command.

sudo tcpdump -i lo0 -n -s0 -w trace.pcap "port 3306"

where lo0 is the localhost interface where MySQL is listening on. The -n option disables the name resolution and it makes the packets show faster.

7

Hi @monica,

thanks for all the help, it's working on my end now. Here's what was happening -

Your command works fine-

sudo tcpdump -i lo0 -n -s0 -w trace.pcap "port 3306"

I was doing (which wasn't working, should have checked ifconfig output more prudently)

sudo tcpdump -i lo -n -s0 -w trace.pcap "port 3306"  (notice the lo without the 0)

Now in Mac the default ethernet interface is en0 thus in the packetbeat.yml file in the interface devices it's given en0, when I changes it to lo0 then packetbeats started shipping mysql queries to ES cluster (super cool! :slight_smile: ) but I want the http queries to be sent to ES cluster as well thus I changed the configuration to
device: [en0, lo0] which doesn't seem to work, what's your opinion how to give multiple device interfaces in the configuration. The link given in the docs turns out to be broken - https://www.elastic.co/guide/en/beats/packetbeat/current/_configuration.html#configuration-interfaces

Danke.

8

Unfortunately on OSX there is no any device like it is on Linux in order to monitor multiple devices. On OSX, a packetbeat instance can monitor a single device. In order to monitor lo0 and en0, you need to start two packetbeat instances, one sniffing on lo0 and one on en0. In the future, we will find a better solution :smile:

Here is the link to the documentation: https://www.elastic.co/guide/en/beats/packetbeat/current/configuration.html#configuration-interfaces

9

Hi @monica, thanks for all the help, with multiple packetbeat instances, would be nice if comma separated device values could be supported in the future. Have a nice day.

1 Like