This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Oracle SQL*Plus

0

How can I capture Oracle SQLPlus traffic? I am running Wireshark with no capture filters and then starting SQLPlus and attempting to connect to a remote Oracle database (the connection doesn't succeed). I cannot see any packets relating to the SQL*Plus traffic in the capture.

Can someone talk me through exactly what's needed to capture traffic from SQLPlus connecting to a remote Oracle database?

Many thanks in advance.

asked 19 Apr '17, 04:42

Corin's gravatar image

Corin
6114
accept rate: 100%

edited 19 Apr '17, 04:44

Some questions to sort things out:

  • Are you running Wireshark on the client where your SQLPlus client is also running?
  • Are you able to see any traffic (DNS, ARP...) in Wireshark?
  • Have you configured an IP address or a server name in your SQLPlus client resp. tnsnames.ora file?
  • When you've configured a server name: do you see name lookups (e.g. DNS requests or WINS) for this name in Wireshark?
  • SQLPlus normally connects to 1521/TCP: Is there any packet with this port? (display filter tcp.port==1521)
(20 Apr '17, 08:48) Uli
  • Yes, running Wireshark on client machine where SQLPlus running
  • Yes, I can see ARP, DNS traffic, if I telnet to the address of my Oracle server I can see TCP traffic to that address
  • The IP address is configured in the tnsnames.ora. The service name is configured in the tnsnames.ora file.
  • I don't know the name of the Oracle database server, I only know its IP address. I know the Oracle service name, is that what you mean?
  • No, there is no packet with this port, the display filter tcp.port==1521 displays nothing
(24 Apr '17, 07:05) Corin

I've identified the problem, thank you for your help. I will post an answer below.

(24 Apr '17, 07:18) Corin

One Answer:

0

The problem turned out to be a badly formatted tnsnames.ora file. The entries were originally formatted like this:

{sid} =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = xxx.xxx.x.xx)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = {servicename})
)
)

The Oracle client tools reported this as ilegally formatted. I add spaces between the elements like so:

{SID} =
 (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = xxx.xxx.x.xx)(PORT = 1521))
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = {service_name})
 )
)

Now I can see tcp.port==1521 traffic.

answered 24 Apr '17, 07:24

Corin's gravatar image

Corin
6114
accept rate: 100%

edited 24 Apr '17, 07:27