forked from dalibo/pgshark
-
Notifications
You must be signed in to change notification settings - Fork 1
/
README
136 lines (107 loc) · 4.87 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
pgshark
pgshark - Messing with PostgreSQL network traffic
SYNOPSIS
pgshark --help
pgshark [--debug] [-2|-3] [--read file] {--output plugin_name} [--
[plugin options...]]
Where plugin_name could be *sql* or *normalize* or *debug* or
*fouine*.
DESCRIPTION
This program studies PostgreSQL traffic captured from the network and is
able to make various things with it. The network dump could be live or
from a pcap file (using tcpdump for instance).
pgshark comes with various output plugins able to do various things with
these network dumps.
-d, --debug
Print debug informations to the standart error. The more you repeat
this option, the more verbose pgshark will be. There are 3 levels of
debug presently.
--help
Show this help message and exit.
-2
Dissect the pcap flow using PostgreSQL v2.0 protocol.
-3
Dissect the pcap flow using PostgreSQL v3.0 protocol. This is the
default.
-h, --host <ip address>
Gives the IP address of the PostgreSQL server. By default, set to
127.0.0.1.
-i, --interface <interface name>
Capture PostgreSQL traffic directly from the given network interface.
Conflict with --read. By default, pgshark will read from stdin if
neither --read or --interface are given.
-o, --output <plugin name>
Select the dump processing output plugin. This parameter value is
case-insensitive (eg. SQL, Sql and sql will all select the SQL plugin
output). See section "PLUGINS".
-p, --port <port>
Specifies the port the PostgreSQL backend is listening on. By default,
set to 5432
-r, --read <path to file>
Read PostgreSQL traffic from given pcap file. Conflict with
--interface. By default, pgshark will read from stdin if neither
--read or --interface are given.
PLUGINS
debug
The debug plugin will output the PostgreSQL messages in human readable
format. Useful to analyze what is in a network dump before using pgshark
on some other duties.
sql
The sql plugin writes captured queries on stdout. Because of the SQL
language doesn't support unnamed prepared statement, this plugin
actually try to names them. Presently, this plugin doesn't support
cursors nor COPY messages.
--line_prefix <prefix string>
This is a printf-style string that is output at the beginning of each
line. % characters begin "escape sequences" that are replaced with
status information as outlined below. Unrecognized escapes are
ignored. Other characters are copied straight to the log line. Some
escapes might not be available depending on the context.
%a Application name
%d Database name
%H Source host
%h Destination host
%k Hash key of the session (src ip and src port concatenated)
%R Source host and port
%r Destination host and port
%T Raw timestamp
%t Human readable timestamp
%u User name
normalize
The normalize plugin will try to normalize queries and prepared queries
and output them to stdout. Its purpose is to give you a list of unique
queries, whatever the number of time they have been sent by clients and
whatever their parameters were.
fouine
The fouine plugin will output a report with most popular queries,
slowest cumulated ones, slowest queries ever, classification of queries
by type, etc.
EXAMPLES
Output all queries found in files "some_capture.pcap*" as SQL to the
standart output:
"cat some_capture.pcap* | pgshark --output SQL"
Output all queries found in file "some_capture.pcap001" as SQL to the
standart output.
"pgshark --output SQL -r some_capture.pcap001"
Capture PostgreSQL traffic from interface eth0 and output normalized
queries to the standart output.
"pgshark --output normalize -i eth0"
The following example shows how to work with a server that is NOT
listening on localhost and the default 5432 port. (1) dump from "eth0"
every packets from/to the port 5490. "-s 0" is requiered on some older
version of tcpdump to dump the whole packets. (2) use the SQL plugin
with its "--line_prefix" option. Here "--host" and "--port" are
important to notify pgshark who is the PostgreSQL server in the network
dump and its working port.
"tcpdump -i eth0 -w /tmp/tcp_5490.pcap -s 0 'tcp and port 5490'" (1)
"pgshark --port 5490 --host 192.168.42.5 --output SQL -r \
/tmp/tcp_5490.pcap -- --line_prefix "%t user=%u,database=%d: "" (2)
AUTHORS
Jehan-Guillaume (ioguix) de Rorthais, jgdr at dalibo dot com.
Dalibo's team.
http://www.dalibo.org
SEE ALSO
The pgShark wiki on github : https://github.com/dalibo/pgshark/wiki
LICENSING
This program is open source, licensed under the simplified BSD license.
For license terms, see the LICENSE provided with the sources.