Ask Your Question
0

pgsql: decoding pgsql.parameter_name and pgsql.parameter_value

asked 2020-01-10 11:58:27 +0000

updated 2020-01-10 12:00:12 +0000

grahamb gravatar image

Hi guys, I am using tshark to decode some PostgreSQL traffic and got some issues when decoding parameter_value-s. Below is the command I am using

tshark -r /d/tshark/sample.pcap  -d tcp.port==5432,pgsql  -2R ' (tcp.port==5432) && pgsql ' -T fields -e frame.number -e tcp.stream -e ip.id -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e pgsql.length -e pgsql.table_name -e pgsql.schema_name -e pgsql.parameter_name -e pgsql.parameter_value -e pgsql.message -e pgsql.type -e pgsql.query -e pgsql.authtype -e pgsql.status -E separator="|"

And here is the output sample:

436|10|0x00006164|Jan  3, 2020 17:34:46.264036000 Russia TZ 2 Standard Time|172.19.0.2|5432|172.19.0.6|53287|8,22,25,23,25,27,20,25,49,35,35,17,12,5|||application_name,client_encoding,DateStyle,integer_datetimes,IntervalStyle,is_superuser,server_encoding,server_version,session_authorization,standard_conforming_strings,TimeZone|,UTF8,**ISO, MDY**,on,postgres,on,UTF8,10.8 (Debian 10.8-1.pgdg90+1),postgres,on,UCT||Authentication request,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Backend key data,Ready for query||0|73

The idea is the following, for parameters we have two comma-separated lists, for example

application_name=

client_encoding=UTF8

DateStyle=ISO, MDY

So, I don't see any option to specify separator for parameter_values fields, so we stick to comma. And it creates a problem when we have command in the parameter value itself, we can't just split a message using comma as separator. In this particular case we could make sure that there is no space symbol after comma when splitting, but it may not be an option for all possible parameter values.

Is there any way to handle this correct to decode 100% of possible parameter values correct?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-01-10 15:56:06 +0000

Chuckc gravatar image

updated 2020-01-10 16:26:56 +0000

grahamb gravatar image

tshark man page:

-E <field print option>

Set an option controlling the printing of fields when -T fields is selected.

aggregator=,|/s|<character> Set the aggregator character to use for fields that have multiple occurrences. If , a comma will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.

edit flag offensive delete link more

Comments

C:>tshark -r .\pgsql.pcap -T fields -e pgsql.parameter_name -e pgsql.parameter_value -E aggregator="!" > pgsql.txt

user!database   oryx!mailstore
user!database   oryx!mailstore
client_encoding!DateStyle!is_superuser!server_version!session_authorization UNICODE!ISO, MDY!off!7.4.6!oryx
client_encoding!DateStyle!is_superuser!server_version!session_authorization UNICODE!ISO, MDY!off!7.4.6!oryx
Chuckc gravatar imageChuckc ( 2020-01-10 15:58:51 +0000 )edit

oh bubbasnmp thank you very much, sorry, i had to figure it out from from the docs, i was under impression i checked all -E xxx options

vladimir_soldatov gravatar imagevladimir_soldatov ( 2020-01-10 16:08:32 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2020-01-10 11:58:27 +0000

Seen: 142 times

Last updated: Jan 10