Learning Project: This is an eBPF-based project created for learning purposes that allows you to collect MongoDB queries without the need to apply any changes to your application.
Mongo-Pulse monitors MongoDB operations in real-time and provides:
- Query Time Measurement: Measures and displays response times for MongoDB operations
- Plaintext Query Display: Shows readable strings from MongoDB queries
- Encryption Support: Traces SSL/TLS encrypted MongoDB traffic when applications use the operating system's SSL libraries
- Real-time Monitoring: Captures operations as they happen without application modifications
The tool supports encrypted traffic monitoring by hooking into OpenSSL functions. It has been tested with:
- Python 3 applications using pymongo with SSL
- Node.js applications using the MongoDB driver with SSL
Note: Requires newer OpenSSL versions as we hook into the _ex functions (SSL_read_ex, SSL_write_ex) available in OpenSSL 1.1.1+.
- Compression Not Supported: MongoDB compression (zlib, snappy, zstd) is not currently supported as it changes the packet headers. This feature will be implemented in future versions.
- Go 1.25.3+
- Docker (for containerized execution)
- Linux kernel with eBPF support
- Root privileges (for eBPF operations)
This project has been tested on:
- OS: Ubuntu 24.04 (6.8.0-86-generic kernel)
- Architecture: x86_64
Note: Docker containerization should make it portable across different Linux distributions with eBPF support.
Build and run with Docker:
make docker-runGenerate eBPF bytecode and run locally:
make run# Generate eBPF bytecode
make generate
# Build locally
make build
# Clean artifacts
make cleanMongo-Pulse uses eBPF tracepoints to intercept system calls and capture MongoDB queries in real-time without requiring any modifications to your application or MongoDB instance. For encrypted connections, it hooks into SSL library functions to decrypt and analyze the traffic.
Here's an example of what Mongo-Pulse captures when monitoring MongoDB operations:
🔥 MongoDB Operation Detected!
PID: 1356736
FD: 8
Request ID: 1131176229
⏱️ Response Time: 10130338 ns
🔒 This query was encrypted
📝 All Readable Strings: [aggregate testcol pipeline $match id $gte $group _id $id count $sum $sort _id $limit cursor lsid id z? HU $db testdb $readPreference mode primaryPreferred]
🌐 Connection: 127.0.0.1:27018
--------------------------------------------------
🔥 MongoDB Operation Detected!
PID: 1356736
FD: 8
Request ID: 1653377373
⏱️ Response Time: 868980 ns
🔒 This query was encrypted
📝 All Readable Strings: [insert testcol ordered lsid id z? HU $db testdb $readPreference mode primary documents _id *y. special encrypted_insert timestamp bP]
🌐 Connection: 127.0.0.1:27018
--------------------------------------------------
The output shows:
- Process ID and file descriptor
- Unique request ID for correlation
- Response time in nanoseconds
- Whether the connection was encrypted
- Extracted readable strings from the MongoDB operation
- Connection details (IP and port)