Re: New tool: ddldump

• From: Ravi Madabhushanam <ravi.madabhushanam@xxxxxxxxx>
• To: cicciuxdba@xxxxxxxxx
• Date: Tue, 29 Jun 2010 08:10:07 +0530

Thank you very much David.

This tool is really interesting. Can't wait to try it out. Will this work on
Linux ?

On Tue, Jun 29, 2010 at 7:07 AM, Guillermo Alan Bort
<cicciuxdba@xxxxxxxxx>wrote:

> Hey David,
>
>    Nice tool, looks very interesting. Does it work on archived redolg
> files? I'll try it in my toy DBs this week... :-) I'd love to do it in
> productive ones, as it works on redo, I'm guessing it has no direct impact
> on the DB... is the source code available?
>
> Thanks.
> Alan.-
>
>
>
> On Mon, Jun 28, 2010 at 9:50 PM, David Litchfield <
> david@xxxxxxxxxxxxxxxxxxxx> wrote:
>
>> Hey all,
>> As part of a larger project, I've written a small tool called ddldump that
>> parses Oracle redolog files and dumps any DDL statements in an XML format.
>> ddldump has been developed with forensic investigations in mind but can of
>> course be simply used by DBAs to peruse the DDL in their logs. You can
>> download it from http://www.v3rity.com/ddldump.php
>> Cheers,
>> David Litchfield
>> v3rity Ltd
>> http://www.v3rity.com/
>>
>>
>> C:\app\david\oradata\orcl11g>ddldump REDO01.log ddl
>>
>> <?xml version="1.0"?>
>> <LOG>
>> <FILENAME>REDO01.log</FILENAME>
>> <database_sid>ORCL11G</database_sid>
>> <version>11.1</version>
>> <ltimestamp>01/02/2010 15:26:02</ltimestamp>
>> <blocksize>512</blocksize>
>> <nab>234</nab>
>> <lowscn>3977649</lowscn>
>> <nextscn>3977776</nextscn>
>> <ENTRIES>
>> <ENTRY>
>> <TIMESTAMP>04/03/2010 01:16:34</TIMESTAMP>
>> <RDRCOFST>0x0001CB2C</RDRCOFST>
>> <CHVCOFST>0x0001CB5C</CHVCOFST>
>> <SESSION_USER>SYS</SESSION_USER>
>> <CURRENT_USER>SYS</CURRENT_USER>
>> <SQL_STATETMENT>create user hax0r identified by VALUES '9A3502887F7210C4'
>> </SQL_STATETMENT>
>> <SCHEMA>hax0r</SCHEMA>
>> <OBJECT></OBJECT>
>> </ENTRY>
>> </ENTRIES>
>> </LOG>
>> C:\>
>>
>> RDRCOFST is the hexadecimal offset into the redolog file where the redo
>> entry containing the DDL statement can be found
>> CHVCOFST is the hexadecimal offset into the redolog file where the change
>> vector containing the DDL statement can be found
>> TIMESTAMP is the time and date when the redo entry was written to the log
>> file.
>> SESSION_USER is the user that is logged on and initiated the DDL statement
>> CURRENT_USER is the user under whose authority the DDL actually executes.
>> If session_user and current_user are different it could be indicitive of a
>> SQL injection attack.
>> SQL_STATEMENT is the DDL that was executed.
>> SCHEMA, if present, is the schema upon which the DDL acts.
>> OBJECT, if present, is the object upon which the DDL acts.
>> --
>> //www.freelists.org/webpage/oracle-l
>>
>>
>>
>

• Follow-Ups:
  • Re: New tool: ddldump
    • From: Kjetil Strønen

• References:
  • New tool: ddldump
    • From: David Litchfield
  • Re: New tool: ddldump
    • From: Guillermo Alan Bort

Other related posts:

• » New tool: ddldump- David Litchfield
• » Re: New tool: ddldump- Guillermo Alan Bort
• » Re: New tool: ddldump - Ravi Madabhushanam
• » RE: New tool: ddldump- Dunbar, Norman
• » Re: New tool: ddldump- David Litchfield
• » Re: New tool: ddldump- David Litchfield
• » Re: New tool: ddldump- Kjetil Strønen

1. Home
2. oracle-l
3. Archive
4. 06-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---