dbpulse - utility that records SQL query information by capturing
[-H hosts_file | -h hostname -p tcp_port -S server_name]
[-i input_file | -o output_file]
dbpulse captures network (TCP) packets going in to and out of the
database server. It de-multiplexes this traffic back into
state-oriented connections. Thus, it can record the round trip
activity of each query sent to the database. As it runs, it outputs
this round trip activity into two types of files: RATING and
THRESH files. The RATING file is used for benchmarking purposes
(see rating_file(5)) and the THRESH file is used for audit and
diagnostic purposes (see (thresh_file(5).
It functions like a passive firewall; one that doesn't impede traffic
but still interrogates the packets and builds session tables.
dbpulse can be run on any node of the network so long as that node
has access to the appropriate network traffic. The simplest
implementation is to run it on the database server itself.
Alternatively, it can be run on the Web/App servers, or even on
desktop PCs (Windows 2000 or higher).
dbpulse comes in two flavors along with a multiple worker thread
option. The first flavor is the basic edition which allows auditing
and diagnostic output but no benchmark output (no RATING file
support). The second flavor is the basic edition plus Rating which
adds benchmarking output. The the multiple worker threads option
allows more than one worker thread to process packet data (without it,
only a single worker thread is allowed). Multiple worker threads
introduce non-determinism to the output files and is only necessary
for high-volume servers with multiple processors.
Currently, dbpulse can decode TDS (Tabular Data Stream) packets.
Eventually, it will decode TNS (Transparent Network Substrate),
mySQL, and DB2.
For Sybase ASE, the minimal set of options are -h , -p , and -S .
For Microsoft SQL Server, the minimal option is -h because -p is
defaulted to 1433 and -S is defaulted to the value of -h .
Alternatively, the -H option can be used to specify a hosts file where
many instances can be configured. That is, rather than starting multiple
copies of dbpulse, one copy can capture queries for many instances.
- -H hosts_file
Specify the name of a file in the /foresight/etc directory that contains
a list of hosts (instances) to capture queries from. A common name is
- -h hostname
Specify the hostname of the database server. It can also be an IP
- -p sniff_port
Specify the TCP port of the database server. For SQL Server,
the default value is 1433.
- -S servername
Specify the server name to use to identify this instance of
dbpulse. This value is used to distinguish between multiple
instances of captured data.
- -a network_protocol
Valid network protocols include: mssql (for SQL 7 and higher),
mssql6, and ase.
Run in the background. For Windows, it's service mode. For Unix,
it's daemon mode.
- -c packet_count_limit
Specify the maximum number of packets to capture. After dbpulse
sniffs this many packets, it terminates. Commonly used with the -i
and -s options for debugging certain portions of the packet stream.
- -d device_name
Specify the network device to use to capture packets. The default
value is the first ethernet device found. For Unix, values include:
lo (loopback; only supported under linux, other OSs optimize
loopback performance and don't provide a standard API), eth0
(linux), hme0 (Solaris), and
For a list of valid device names, run find_all_devices(1).
- -i input_filename
Specify the input file to read network packets in from rather than
sniffing a network device.
- -l listen_port
Tells dbpulse to listen on the specified TCP port for interprocess
communications requests (mainly for statistics gathering). Need to
use this option if more than one instance of DBpulse is running on the
same server. Without a port specified (just -l), the default value is
Note: this listen port is not meant for direct human interaction (i.e.
telnet), but rather for program interaction. The output is designed
to be easy to parse, but not necessarily easy to understand. The
primary command is ``get''. This is followed by the `type' of
information you want to retrieve. Available types are: date,
hires_epoch, info, perf, and stats. The `stats' type has multiple
sub-types. Available sub-types (for `stats') are: connect_q, pcap,
pcap_session, rm, string, tds_session, work_q, and all (this option
displays each of the `stats' one after another).
Output from the TCP connection will generally be of the form: XXX
LABEL=VALUE. XXX is the result code. There will be a space or a dash
after the result code. A space indicates end-of-data and a dash
indicates more data to follow. The LABEL is any valid identifier
([A-Z,a-z,_][A-Z,a-z,_,0-9]*). The VALUE is URI encoded. String
values are NOT quoted. The record separator has an empty LABEL
and empty VALUE. For example:
- -o output_filename
Specify the output file to write network packets out to. When using
this option, no processing is performed. Network packets are read
from a network device and written immediately to the output file.
Primarily used for debugging or capturing demo data. The -i option
and -o option are mutually exclusive.
Run with no thresholding. That is, don't write data to the THRESH file.
- -r run_interval
Specify the run interval in minutes. That is, how often to write a
new rating and thresh file. The default run interval is 15
This parameter activates a feature called Rating and requires a
special license. Without this license, the -rating option will be ignored.
- -s packet_skip_count
Specify the number of packets to skip before starting to pro- cess.
Commonly used with the -i and -c options for debugging certain
portions of the packet stream.
- -t threshold_level
Specify the elapsed time threshold in seconds (floating point). The
default behavior sets the threshold value to 0.0 (audit mode), thus
recording ALL queries to the THRESH file. If a value is given, it
limits the queries recorded in the THRESH file. That is, only queries
that runs longer than the specified threshold will be recorded in the
- -w worker_threads
Specify the number of worker threads to start up. The default value
is 1. This option allows multiple CPUs to assist in the decoding of
packet data. NOTE: thread scheduling is non-deterministic, thus,
setting this value greater than one (1) makes all output
non-deterministic (i.e. the order of data in the RATING and THRESH
files will differ given the same input data).
This parameter activates a feature called Multiple Worker Threads
and requires a special license. Without this license,
the -w option will be ignored.
- -x debug_value
Specify the value of debugging output. It is a bitmap; not a sequential
number (i.e. 4 doesn't output more debugging than 3). Valid values range
from 1 to 255. Never use this option in a production setting unless it's
for a very short period of time (less than 30 minutes). It will slow down
the data capture and use up a lot of CPU.
dbpulse has two methods of licensing: evaluation and registered.
Each has its limitations.
There is no fee to use the evaluation version.
The evaluation version of dbpulse limits the recording of database
information to 2,000,000 packets.
That is, it sets the -c option to 2,000,000 and cannot be overridden.
Other than that, it is fully functional.
The registered version requires a registration fee.
The limitation of the registered version is that it is locked to a
hostname and IP address.
Thus, if either changes, you will need to obtain a new license.
In addition, if you acquire the basic edition, it doesn't allow
benchmarking output (no Rating). Lastly, it regulates the number of
worker threads. If you don't acquire the multiple worker thread
option, it limits the -w option to 1 and cannot be overridden.
Both the evaluation and registered version have an expiration date.
That is, the software will only run for a period of time (evaluation
version is at least 90 days and registered version is one year).
You can renew the registration fee or download a new version of software
In addition, registered users can request technical support and will be
notified of major releases of software. They can also sign up (fee
involved) for more advanced services such as: Reporting (e.g. rating
and load, top 10 worst queries, etc.) and Performance Tuning.
The Unix version of dbpulse should run properly right out of the box.
Please make sure you have root access. dbpulse will set the ethernet
port to promiscuous mode in order to operate properly.
The Windows version of dbpulse requires a kernel-level packet
filter and some packet capture DLLs to be installed before it will
work properly. If you see a message about pcap.dll not found, then
you may need to install the libpcap software. It is included with the
distribution in C:/foresight/bin . In addition, you must have
Administrator privileges to run dbpulse properly.
Tells where the head of the software distribution is. Typically this
is /foresight for Unix and C:/foresight for Windows. Without
this value set, dbpulse does not know where to access its
configuration, license, and log files.
License file. dbpulse requires a license file (regardless of
version) in order to run.
Log file that records dbpulse start up. All start-up errors can
be found here.
Stop file. To terminate dbpulse , create this file. There are
easier ways to stop dbpulse .
Debug log file for Server
Error log file for Server
Directory for the current working rating and thresh file.
The current files should not be accessed until they are moved to fg.
Old wip files indicate that DBpulse was shutdown and not restarted
within a given 15-minute interval.
Directory for completed rating and thresh files. They start in
wip and wind up in fg .
Directory for processed rating and thresh files. Used in the
find_all_devices(1), sniff_ip(1), service_ctrl(1),
The locking mechanism needs to be revisited to prevent instances of
dbpulse from overwriting each others log, rating, and thresh files.
IP fragmentation has not been addressed and may potentially cause
problems for packets that traverse multiple networks.