Databases Reference
In-Depth Information
15:10:43.350714 goose.guardium.com.1522 > 192.168.1.168.4326: P
9:41(32) ack 487 win 7504 (DF)
…
15:10:43.432778 goose.guardium.com.1522 > 192.168.1.168.4326: P
4055:4070(15) ack 4642 win 11319 (DF)
15:10:43.622017 192.168.1.168.4326 > goose.guardium.com.1522: .
ack 4070 win 63407 (DF)
What I can see from the first line is the client machine with an IP of
192.168.1.168 connecting to the server. The client port is 4326 and the
server port is 1522. Note that this is not the standard Oracle listener port,
and you should not assume that using a nonstandard port keeps you safe in
any way. Also note that I removed some of the packets in the middle—the
full dump includes 65 such lines and is not very useful at this point.
This first dump doesn't show me much, mostly because by default tcp-
dump has only shown me the headers. However, I can now go one step fur-
ther and start looking at the TCP/IP payload, which is where all the juicy
data resides. At this point I can ask tcpdump to capture all of the stream to
a file using the following command (on Linux; other platforms may have
slightly different flags):
tcpdump -S -w /tmp/out.txt -i eth1 host goose
I can then analyze this file using a sniffer or use a sniffer instead of tcp-
dump in the first place. The main question is where I prefer doing the
work—on-site or in a quiet place where I will not be bothered.
Let's look at the payload. The payload is verbose, and I won't show you
all of it because it is not relevant to our discussion. There are three packets
that are relevant here: the login process, the packet containing a SQL call,
and the packet containing the reply.
Let's start with the login process. When a client initiates a session with
a server, there is a handshake process during which the two agree on vari-
ous details of the communication. In this process the client authenticates
itself with the server (i.e., hands over the username and password with
which it is trying to log in to the database). An example payload of the
TCP/IP packet for this part of the Oracle handshake (using the infamous
scott/tiger user) follows:
00000000 : 01 78 00 00 06 04 00 00 00 00 03 73 03 c8 f7 05 .x.........s....
00000010 : 08 05 00 00 00 01 01 00 00 bc ea ff bf 07 00 00 ................
00000020 : 00 cc e8 ff bf 7e bc ff bf 05 53 43 4f 54 54 0d .....~....
SCOTT
.
Search WWH ::
Custom Search