Most observability stories for Informix are either invasive (server tracing with attendant operational risk and overhead) or opaque (packet capture with no protocol awareness). Oninit® Snooper is a third option: a transparent, read-only TCP forwarder that decodes the SQLI wire protocol in real time and emits a stable structured event stream.
A small process accepting client connections on --listen, opening a paired upstream connection per session to --upstream, forwarding bytes on a plain read() / write() loop, with a parallel reader walking each direction's stream into PFPDU events. Three pthreads per connection — one forwarder per direction plus a per-connection logger draining a 256 KiB ring buffer — coordinated through a small shared state struct for cross-direction timing. Decode work is kept off the forwarding path, so the latency added is sub-millisecond per PFPDU plus one extra TCP hop.
Output is a fixed 10-column TSV, one line per PFPDU. Tabs and newlines inside fields are escaped to \t / \n, so there's no quoting layer to defeat shell tools or log shippers. Downstream consumers — SIEM ingest, log-platform pipelines, ad-hoc analysis — don't need a custom parser. cut -f, awk -F'\t', Perl -F'\t', and standard shipper plugins all work as-is.
| Field | Use |
|---|---|
| wall_ts | ISO 8601 UTC microsecond timestamp. Cross-system correlation against any other log source. |
| mono_us | Monotonic μs since the snoop process started. Cheap to subtract for delta arithmetic; immune to NTP / DST jumps. |
| round_us | Round-trip latency, populated on the closing server-side ONI_EOT of every response burst. |
| stmt_us | Statement-level latency, computed from the most recent PREPARE / COMMAND on the connection. |
| gap_us | μs since the previous PFPDU on the same connection in the same direction. Surfaces mid-response stalls that round-trip totals smear. |
| Pattern | Fit |
|---|---|
| Production observability | Standing observability for Informix workloads where server-side tracing is too expensive or restricted. |
| Pre-production performance verification | Capture before / after a release in front of the same client; diff the round-trip distributions. |
| Incident triage | Drop in front of the misbehaving instance during the incident. No IDS restart, no client redeploy. Pull it out when the bridge is clear. |
| Long-term audit | Wire-level activity export into the rest of the estate's log platform via the standard TSV. |
The output is a documented TSV schema. The binary is built on commodity Linux and runs without IBM dependencies on the deployment host. There is no agent fleet, no central server, no licensing of decoded fields, and no proprietary dashboard the operator is forced to use. If the team later moves the same data into a different observability backend, the existing TSV is the export.
Next step: a one-hour scoping call to map the snoop into the target architecture for one workload. Email support@oninit.com.
If you really understand what Snooper does, you realize it fundamentally changes how Informix applications can be deployed.
It allows existing Informix applications to run against any database without modification. By decoupling legacy systems from their original data layer, it removes the need for costly rewrites and enables safe, phased modernization. Organizations can preserve proven application logic while moving data and infrastructure forward—reducing risk, cost, and disruption.
To discuss how Oninit ® can assist please call on +1-913-732-8892 or alternatively just send an email specifying your requirements.
You get all this for free.. think about what you get if you pay us