Wireshark-users: [Wireshark-users] how to capture entire SQL commands from capture, and export as
From: Shawn T Carroll <shawnthomascarroll@xxxxxxxxx>
Date: Mon, 12 Dec 2011 10:36:11 -0800 (PST)
We have an application transaction that produces about 360 SQL queries and responses (Postgresql in particular).

I wanted to dump a list of the SQL queries issued, along with a timestamp of when the query was issued.

"follow stream" and then a copy/paste shows the human-readable bits from the tcp segment, but does not capture the timestamps, nor does it distinguish commands issued from teh client from responses sent by the server.

Right-clicking on the PostgreSQL > Query in the decode pane, and "apply as column", followed by exporting as a CSV was partially successful, but it seems to chop off the query at a couple hundred bytes, see this output:

"No.","Time","Source","Destination","Protocol","Length","Frame length on the wire","Query","Info"
"1","0.000000","10.10.0.206","10.10.0.73","PGSQL","556","556","select pg_attribute.attname, pg_attribute.atttypid::int, pg_attribute.attnotnull, pg_attribute.attlen, pg_attribute.atttypmod, pg_attrdef.adsrc from pg_class, pg_attribute left join pg_attrdef on (pg_attrdef.adrelid = pg_attribute.attrelid and pg_attrdef.",">Q"
"2","0.102997","10.10.0.206","10.10.0.73","PGSQL","462","462","SELECT pg_attribute.attname, pg_attribute.atttypid::int, pg_class.relname FROM pg_attribute, pg_class WHERE pg_table_is_visible(pg_class.oid) AND pg_class.oid IN (SELECT indexrelid FROM pg_index WHERE indisprimary = true AND indrelid IN  (SELECT oid FROM ",">Q"
"3","0.205383","10.10.0.206","10.10.0.73","PGSQL","568","568","select pg_attribute.attname, pg_attribute.atttypid::int, pg_attribute.attnotnull, pg_attribute.attlen, pg_attribute.atttypmod, pg_attrdef.adsrc from pg_class, pg_attribute left join pg_attrdef on (pg_attrdef.adrelid = pg_attribute.attrelid and pg_attrdef.",">Q"
"4","0.307351","10.10.0.206","10.10.0.73","PGSQL","474","474","SELECT pg_attribute.attname, pg_attribute.atttypid::int, pg_class.relname FROM pg_attribute, pg_class WHERE pg_table_is_visible(pg_class.oid) AND pg_class.oid IN (SELECT indexrelid FROM pg_index WHERE indisprimary = true AND indrelid IN  (SELECT oid FROM ",">Q"
"5","0.409829","10.10.0.206","10.10.0.73","PGSQL","558","558","select pg_attribute.attname, pg_attribute.atttypid::int, pg_attribute.attnotnull, pg_attribute.attlen, pg_attribute.atttypmod, pg_attrdef.adsrc from pg_class, pg_attribute left join pg_attrdef on (pg_attrdef.adrelid = pg_attribute.attrelid and pg_attrdef.",">Q"
"6","0.512595","10.10.0.206","10.10.0.73","PGSQL","464","464","SELECT pg_attribute.attname, pg_attribute.atttypid::int, pg_class.relname FROM pg_attribute, pg_class WHERE pg_table_is_visible(pg_class.oid) AND pg_class.oid IN (SELECT indexrelid FROM pg_index WHERE indisprimary = true AND indrelid IN  (SELECT oid FROM ",">Q"
"7","0.614801","10.10.0.206","10.10.0.73","PGSQL","463","463","SELECT pg_attribute.attname, pg_attribute.atttypid::int, pg_class.relname FROM pg_attribute, pg_class WHERE pg_table_is_visible(pg_class.oid) AND pg_class.oid IN (SELECT indexrelid FROM pg_index WHERE indisprimary = true AND indrelid IN  (SELECT oid FROM ",">Q"
.
.  ~360 more of these
.
<end>

Is there a way to have my cake and eat it too?  Perhaps adjust the upper bound of the number of characters allowed in the newly created "Query" column?

Thanks,
Shawn