Also: wireshark works well to see what commands are going over the network to DB.
I'm not sure why you would ever... oh. Yeah, that.
Did a security audit once (and only once, it's not my thing, but I was the only guy the consulting company knew the call) where the client didn't think I was doing anything because they didn't see massive traffic during my testing.
I gave some general suggestions on security, places where the web-app could be given invalid data that busted some things. And then I told them the Oracle password to their DB. Not sure why anybody would put that in a cookie, but they did.