Hello, I'm trying to decode some DB2 traffic, but I'm not finding a decode. It looks like there used to be a DRDA entry, but I don't see it on 1.6.1 (windows). Thanks for any info. asked 11 Aug '11, 10:11  RickE |
One Answer:
I'm not sure what you mean by "used to be a DRDA entry". Where ? The DRDA dissector is a heuristic dissector riding on top of TCP. This means that it is in the list of heuristic dissectors called in turn by the TCP dissector. Each dissector does a heuristic test of the TCP payload data to see if the dissector considers the payload to be valid for that dissector. The TCP dissector can call the heuristic dissectors before or after checking for TCP port protocol mappings. So: One possibility: The TCP payload is being dissected as something other than DRDA because of a TCP port mapping to a protocol. If the TCP preference "try heuristic dissectors first" is not set, you might try setting that preference and see what happens. Another possibility: another dissector in the TCP heuristic dissector list before the DRDA dissector "accepts" the data for dissection. If this is the case, try disabling the other protocol (Analyze ! Enabled Protocols) Another possibility: The TCP payload data doesn't match the heuristic used by the DRDA dissector. If you're convinced that the data should be dissected as DRDA, you can file a bug report at bugs.wireshark.org attaching a (small) capture file showing the problem. answered 11 Aug '11, 20:36  Bill Meier ♦♦ edited 11 Aug '11, 20:40 |
Thanks for the reply. I enabled heuristic dissectors, but it didn't change - the Protocol classified as TCP. The traffic is from a MS SQL Server to DB2 on a mainframe. When I google those terms, they lead to pages that describe how to decode DRDA with Wireshark to analyze the traffic. In those, they show DRDA listed as the protocol. I can see DRDA listed under Preferences->Protocols, but I don't see it listed when I try to force a "Decode As".
(I converted your answer to a comment to conform to the way ask.wireshark.org is intended to be used. See the FAQ).
ask.wireshark.org is not really suited for a discussion. (FAQ) This is a discussion forum, right? "No. This is a Q&A site. Answers move up and down depending on votes. If you treat it like a traditional time-descending web forum things can get very confusing."
Maybe the best way to resolve this issue is for you to submit a bug at bugs.wireshark.org attaching a (small) capture file which shows the issue. If needed, you can mark the file as "private" so that only the Wireshark core developers have access.
Otherwise please use the mail list [email protected] for further discussion.