First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

pgsql: decoding pgsql.parameter_name and pgsql.parameter_value

Hi guys, I am using tshark to decode some PostgreSQL traffic and got some issues when decoding parameter_value-s. Below is the command I am using

tshark -r /d/tshark/sample.pcap  -d tcp.port==5432,pgsql  -2R ' (tcp.port==5432) && pgsql ' -T fields -e frame.number -e tcp.stream -e ip.id -e frame.time -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e pgsql.length -e pgsql.table_name -e pgsql.schema_name -e pgsql.parameter_name -e pgsql.parameter_value -e pgsql.message -e pgsql.type -e pgsql.query -e pgsql.authtype -e pgsql.status -E separator="|"

And here is the output sample:

436|10|0x00006164|Jan  3, 2020 17:34:46.264036000 Russia TZ 2 Standard Time|172.19.0.2|5432|172.19.0.6|53287|8,22,25,23,25,27,20,25,49,35,35,17,12,5|||application_name,client_encoding,DateStyle,integer_datetimes,IntervalStyle,is_superuser,server_encoding,server_version,session_authorization,standard_conforming_strings,TimeZone|,UTF8,**ISO, MDY**,on,postgres,on,UTF8,10.8 (Debian 10.8-1.pgdg90+1),postgres,on,UCT||Authentication request,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Parameter status,Backend key data,Ready for query||0|73

The idea is the following, for parameters we have two comma-separated lists, for example

application_name=

client_encoding=UTF8

DateStyle=ISO, MDY

So, I don't see any option to specify separator for parameter_values fields, so we stick to comma. And it creates a problem when we have command in the parameter value itself, we can't just split a message using comma as separator. In this particular case we could make sure that there is no space symbol after comma when splitting, but it may not be an option for all possible parameter values.

Is there any way to handle this correct to decode 100% of possible parameter values correct?

vladimir_soldatov's avatar
1
vladimir_soldatov
asked 2020-01-10 11:58:27 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-01-10 12:00:12 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

tshark man page:

-E <field print option>

Set an option controlling the printing of fields when -T fields is selected.

aggregator=,|/s|<character> Set the aggregator character to use for fields that have multiple occurrences. If , a comma will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.

Chuckc's avatar
3k
Chuckc
answered 2020-01-10 15:56:06 +0000
grahamb's avatar
23.8k
grahamb
updated 2020-01-10 16:26:56 +0000
edit flag offensive 0 remove flag delete link
more

Comments

C:>tshark -r .\pgsql.pcap -T fields -e pgsql.parameter_name -e pgsql.parameter_value -E aggregator="!" > pgsql.txt

user!database   oryx!mailstore
user!database   oryx!mailstore
client_encoding!DateStyle!is_superuser!server_version!session_authorization UNICODE!ISO, MDY!off!7.4.6!oryx
client_encoding!DateStyle!is_superuser!server_version!session_authorization UNICODE!ISO, MDY!off!7.4.6!oryx
Chuckc's avatar Chuckc (2020-01-10 15:58:51 +0000) edit
more
  • delete

oh bubbasnmp thank you very much, sorry, i had to figure it out from from the docs, i was under impression i checked all -E xxx options

vladimir_soldatov's avatar vladimir_soldatov (2020-01-10 16:08:32 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer