pgsql: decoding pgsql.parameter_name and pgsql.parameter_value
Hi guys, I am using tshark to decode some PostgreSQL traffic and got some issues when decoding parameter_value-s. Below is the command I am using
tshark -r /d/tshark/sample.pcap -d tcp.port==5432,pgsql -2R ' (tcp.port==5432) && pgsql ' -T fields -e frame.number -e tcp.stream -e ip.id -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e pgsql.length -e pgsql.table_name -e pgsql.schema_name -e pgsql.parameter_name -e pgsql.parameter_value -e pgsql.message -e pgsql.type -e pgsql.query -e pgsql.authtype -e pgsql.status -E separator="|"
And here is the output sample:
436|10|0x00006164|Jan 3, 2020 17:34:46.264036000 Russia TZ 2 Standard Time|172.19.0.2|5432|172.19.0.6|53287|8,22,25,23,25,27,20,25,49,35,35,17,12,5|||application_name,client_encoding,DateStyle,integer_datetimes,IntervalStyle,is_superuser,server_encoding,server_version,session_authorization,standard_conforming_strings,TimeZone|,UTF8,**ISO, MDY**,on,postgres,on,UTF8,10.8 (Debian 10.8-1.pgdg90+1),postgres,on,UCT||Authentication request,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Backend key data,Ready for query||0|73
The idea is the following, for parameters we have two comma-separated lists, for example
application_name=
client_encoding=UTF8
DateStyle=ISO, MDY
So, I don't see any option to specify separator for parameter_values fields, so we stick to comma. And it creates a problem when we have command in the parameter value itself, we can't just split a message using comma as separator. In this particular case we could make sure that there is no space symbol after comma when splitting, but it may not be an option for all possible parameter values.
Is there any way to handle this correct to decode 100% of possible parameter values correct?
