PostgreSQL communications
Concept
A PostgreSQL communication is a set of requests / responses between a PostgreSQL client and a PostgreSQL database.
It is a sequence of related TCP packets in a TCP session between a client and a server.
Each Psql communication is associated with:
- Source and destination IP address
- Source and destination TCP port
- The connection information (user, database, protocol version...)
- The Tables used in the SQL requests if any
- The kind of request (simple or extended query)
- The SQL queries used
- The cursors, portals and prepared statements used
- The table fields used in where clauses, join clauses, or in output columns
- The table fields inserted or updated
- The response with its status, error and data rows
The Psql communications are extracted while parsing the TCP sessions in streaming, on Spider backend.
Global Tab
Timing
The timing diagram shows much information at a glance:
General
The General section shows identification information:
| Field | Description |
|---|---|
| From | Host and port of the captured client |
| User | The user used to connect to PostgreSQL |
| Super user | Tells if the user has superuser permissions |
| To | Host and port of the captured server / service |
| Database | PostgreSQL database the user connected to |
| Server version | PostgreSQL database version |
| Protocol versions | PostgreSQL wire protocol version |
From,OriginandIdentificationare showing, by order of preference:- The short name of the Host, as extracted during integration in the backend, or as renamed by a user
- The FQDN of the Host
- The IP address, if no Host found
- All other fields are extracted from the Startup exchanges at PostgreSQL connection time.
Request
The Request section shows summary information of the request part:
| Field | Description |
|---|---|
| Template | Computed query name to identify the request |
| Date | Date of the request, user's local time |
| Request | The main SQL command issues, concatenated with the Tables queried |
| Size | Total bytes sent to the server |
- Spider request
Templateis a very important [feature] allowing to have a uniquenamefor all the same SQL calls, removing variables etc.
Response
The Response section shows summary information of the response part:
| Field | Description |
|---|---|
| Status | A computed status, made to match HTTP semantics |
| Duration | The different between request start and response end |
| Row count | Count of rows returned when fetching data |
| Size | Total bytes received by the server |
Tags
Tags are a very powerful feature of Spider parsing process.
They are [configured at Whisperer level], and allow custom extraction of the data exchanged.
They allow searching and aggregating by the extracted values.
Spider parses SQL queries and the responses during processing, then links queries and responses together.
Tags may be set to extract any field value found in the SQL queries and responses.
Tags may be enriched / decoded by a plugin.
For instance:
- To translate internal identifiers from requests in their business names
- With a link to open them in the application under observation
Spider info
This section shows Spider own information:
| Field | Description |
|---|---|
| Whisperer | Name and link to the Whisperer |
| Instance | Instance of the Whisperer that captured the communication |
| Tcp session | Tcp session id and link |
| Request parsing | Parsing status of the request |
| Response parsing | Parsing status of the response |
Actions
When packets are saved and available, you may download a .pcap file with this communication only.
Request tab
The Request tab shows the series of messages sent by the client to the database.
- In
simplequeries, there is only onequerymessage. - In
extendedqueries, there are more messages, most often:parsemessagebindmessageexecutemessagesyncmessage
Queries are shown pretty printed. And the extraction done by Spider is shown below the query:
- tables used
- fields used in where clauses,
- fields used in join clauses,
- fields in output
- fields inserted or updated
Fields in output or in where clauses may be declared as tags to extract their values from both requests or responses messages.
Response tab
The Response tab shows the series of messages sent by the server in response to the client.
RowDescriptionmessages are shown with theOrigin fieldwhen extracted from the associated query.DataRowmessages are aggregated for readability in a singleDataRowsmessage and shown as a grid.
Packets tab
The Packets tab shows the network packets composing the PostgreSQL communication.
You may open them by clicking on the rows.
| Field | Description |
|---|---|
| Dir | Diraction of the packet |
| Time | Time the packet was captured |
| Payload | Sized of the TCP payload |
| Info | Flags and beginning of TCP payload, in ASCII |
::: note
When the communication is over TLS, the packets are encrypted.
The only ways to see them decrypted is to access the TCP session, and:
- to read the packets from the beginning, in the
contenttab, - or to export the session in
.pcapngformat (for Wireshark or alike) :::
Source
The Source tab shows the PostgreSQL communication in JSON format.
Below is a sample PostgreSQL communication as it is available through the API:
{
"@id": "bQaw4laRQk2ooP5pGtW18w.f7oPi5XITy6d3Vrk4gWSpg.490517.172.18.45.38-59132-172.18.45.38-5432.2630178313.PG.92.41",
"@type": "PgCommunication",
"dateModified": "2026-01-03T15:45:12.160+00:00",
"version": "0.1",
"tcpSession": "bQaw4laRQk2ooP5pGtW18w.f7oPi5XITy6d3Vrk4gWSpg.490517.172.18.45.38-59132-172.18.45.38-5432.2630178313",
"instanceId": "f7oPi5XITy6d3Vrk4gWSpg",
"name": "490517.172.18.45.38-59132-172.18.45.38-5432.PG.92.41",
"whisperer": "bQaw4laRQk2ooP5pGtW18w",
"kind": "simple",
"req": {
"command": "SELECT",
"template": "-",
"tables": [
"PG_DATABASE"
],
"size": 122,
"packets": [
"bQaw4laRQk2ooP5pGtW18w.f7oPi5XITy6d3Vrk4gWSpg.490517.172.18.45.38-59132-172.18.45.38-5432.2630178313-264",
"bQaw4laRQk2ooP5pGtW18w.f7oPi5XITy6d3Vrk4gWSpg.490517.172.18.45.38-59132-172.18.45.38-5432.2630178313-265"
],
"start": 1765862694.960045,
"startDate": "2025-12-16T05:24:54.960Z",
"end": 1765862694.960047,
"status": "COMPLETE",
"subCommands": [
{
"messageType": "Query",
"content": {
"query": "SELECT datname FROM pg_database WHERE datallowconn = true AND datistemplate = false AND datname != current_database()",
"_analyzedQuery": {
"tablesUsed": [
"pg_database"
],
"outputFields": [
{
"index": 0,
"path": "pg_database.datname",
"kind": "direct",
"sources": [
{
"table": "pg_database",
"column": "datname"
}
]
}
],
"checkedFields": [
{
"path": "pg_database.datallowconn",
"value": true
},
{
"path": "pg_database.datistemplate",
"value": null
}
]
}
},
"command": "SELECT",
"truncated": true
}
],
"commandsCount": 1,
"statementsUsed": [],
"portalsUsed": [],
"cursorsUsed": [],
"endDate": "2025-12-16T05:24:54.960Z"
},
"res": {
"rowCount": 3,
"size": 121,
"packets": [
"bQaw4laRQk2ooP5pGtW18w.f7oPi5XITy6d3Vrk4gWSpg.490517.172.18.45.38-59132-172.18.45.38-5432.2630178313-266",
"bQaw4laRQk2ooP5pGtW18w.f7oPi5XITy6d3Vrk4gWSpg.490517.172.18.45.38-59132-172.18.45.38-5432.2630178313-267"
],
"start": 1765862694.960365,
"end": 1765862694.960369,
"endDate": "2025-12-16T05:24:54.960Z",
"status": "COMPLETE",
"resultsCount": 6,
"subResults": [
{
"messageType": "RowDescription",
"content": {
"fields": [
{
"name": "datname",
"tableOID": 1262,
"colAttr": 2,
"dataTypeOID": 19,
"dataTypeSize": 64,
"typeModifier": -1,
"format": 0
}
]
}
},
{
"messageType": "DataRow",
"content": {
"values": [
"snapshot"
]
}
},
{
"messageType": "DataRow",
"content": {
"values": [
"devicemanagementeditor"
]
}
},
{
"messageType": "DataRow",
"content": {
"values": [
"quickselect"
]
}
},
{
"messageType": "CommandComplete",
"rowCount": 3,
"statusCode": 200,
"content": {
"tag": "SELECT 3"
}
},
{
"messageType": "ReadyForQuery",
"content": {
"status": "Idle"
}
}
],
"startDate": "2025-12-16T05:24:54.960Z"
},
"stats": {
"statusCode": 200,
"statusText": "Ok",
"duration": 0.00032401084899902344,
"withTls": true,
"dst": {
"ip": "172.18.45.38",
"port": 5432,
"socket": "172.18.45.38:5432"
},
"src": {
"ip": "172.18.45.38",
"port": 59132,
"socket": "172.18.45.38:59132"
},
"timespan": {
"gte": "2025-12-16T05:24:54.960Z",
"lte": "2025-12-16T05:24:54.960Z"
},
"tags": {
"values": {},
"count": {},
"cardinality": {}
}
},
"connectionMetadata": {
"user": "postgres",
"database": "postgres",
"protocolVersion": "3.0",
"client_encoding": "UTF8",
"DateStyle": "ISO, MDY",
"default_transaction_read_only": "off",
"is_superuser": "on",
"server_version": "15.1 (Ubuntu 15.1-1.pgdg22.04+1)",
"session_authorization": "postgres",
"TimeZone": "Etc/UTC"
},
"pgParsing": "bQaw4laRQk2ooP5pGtW18w.f7oPi5XITy6d3Vrk4gWSpg.490517.172.18.45.38-59132-172.18.45.38-5432.2630178313.PgParsingLog",
"_update": 1017,
"_eTag": "\"8b-XwVu0Um2r3QrGQcKmHn7s6nw1Mg\""
}
Most fields are self-explanatory. Most fields are indexed and searchable.
Some extra explanation:
| Field | Description |
|---|---|
| connectionMetadata | Data extracted at connection time, and copied to all communications inside the session |
| stats | Stats object regroup most important information |
| stats.timespan | Indexed as range, to allow range searching and aggregations |
| stats.src|dst.name | Hostname resolved on the Whisperer |
| stats.tags.* | Extracted tags values, count and cardinality |
| req\res.status | Parsing status |
| _update | Internal field linked to parsing concurrency control |