mongosniff (1) - Linux Manuals

mongosniff: MongoDB Protocol Introspection Utility


mongosniff - MongoDB Protocol Introspection Utility


mongosniff provides a low-level operation tracing/sniffing view into database activity in real time. Think of mongosniff as a MongoDB-specific analogue of tcpdump for TCP/IP network traffic. Typically, mongosniff is most frequently used in driver development.

NOTE: mongosniff requires libpcap and is only available for Unix-like systems. Furthermore, the version distributed with the MongoDB binaries is dynamically linked against aversion 0.9 of libpcap. If your system has a different version of libpcap, you will need to compile mongosniff yourself or create a symbolic link pointing to to your local version of libpcap. Use an operation that resembles the following:

ln -s /usr/lib/ /usr/lib/

Change the path's and name of the shared library as needed.

As an alternative to mongosniff, Wireshark, a popular network sniffing tool is capable of inspecting and parsing the MongoDB wire protocol.


--help, -h
Returns information on mongosniff options and usage.
--forward <host><:port>
Declares a host to forward all parsed requests that the mongosniff intercepts to another mongod instance and issue those operations on that database instance.

Specify the target host name and port in the <host><:port> format.

To connect to a replica set, specify the replica set seed name and the seed list of set members. Use the following format:

--source <NET [interface]>
Specifies source material to inspect. Use --source NET [interface] to inspect traffic from a network interface (e.g. eth0 or lo.) Use --source FILE [filename] to read captured packets in pcap format.

You may use the --source DIAGLOG [filename] option to read the output files produced by the --diaglog option.

Displays invalid BSON objects only and nothing else. Use this option for troubleshooting driver development. This option has some performance impact on the performance of mongosniff.
Specifies alternate ports to sniff for traffic. By default, mongosniff watches for MongoDB traffic on port 27017. Append multiple port numbers to the end of mongosniff to monitor traffic on multiple ports.


Use the following command to connect to a mongod or mongos running on port 27017 and 27018 on the localhost interface:

mongosniff --source NET lo 27017 27018

Use the following command to only log invalid BSON objects for the mongod or mongos running on the localhost interface and port 27018, for driver development and troubleshooting:

mongosniff --objcheck --source NET lo 27018


To build mongosniff yourself, Linux users can use the following procedure:

Obtain prerequisites using your operating systems package management software. Dependencies include:
libpcap - to capture network packets.
git - to download the MongoDB source code.
scons and a C++ compiler - to build mongosniff.
Download a copy of the MongoDB source code using git:

git clone git://
Issue the following sequence of commands to change to the mongo/ directory and build mongosniff:

cd mongo
scons mongosniff

NOTE: If you run scons mongosniff before installing libpcap you must run scons clean before you can build mongosniff.


MongoDB Documentation Project


2011-2014, MongoDB, Inc.