Decode Security Mechanism in DRDA protocol
Summary
I am connecting to Db2 server with different Db2 clients and I am interested which Security Mechanism is supported by Db2 server and which is supported by Db2 client.
In Wireshark DRDA protocol Security Mechanism is not decoded. I am providing some info, how to improve this and decode Security Mechanism.
Steps to reproduce
- In Wireshark set capture filter to
port 60127
where Db2 server is listening in my case. - With Db2 client connect to Db2 server.
- Stop capturing network traffic and set display filter to
drda
. - Now concentrate to Security Mechanism (SECMEC) with code point "0x11a2".
Security Mechanism is the way Db2 client and Db2 Server talk how userid/passwords are send. For example Db2 client says: "I support encrypted userid and encrypted password Security Mechanism" and Db2 Server says back: "I support only non-Encrypted userid and password."
From DRDA specification https://pubs.opengroup.org/onlinepubs/9699939199/toc.pdf on page 777 is explained with more precise definition:
"When SECMEC flows from the source server to the target server, the SECMEC parameter specifies the security mechanism combination that the source server wants to use."
"When SECMEC flows from the target server to the source server, the SECMEC parameter must either reflect the value requested by the source server or if the target server does not support the requested security mechanism, then the target server returns the SECMEC values that it does support."
Security Mechanism information is interesting when debugging why there is no encrypted userid and password send over DRDA protocol. It can be diagnosed which one Db2 client or Db2 server does not support encryption.
Packet 14:
Db2 client is listening on port 62233 and sends data to Db2 server listening on 60127. Db2 client is sending information: "I as Db2 client support Security Mechanism 9 = Encrypted Userid and Encrypted Password." Note: Security Mechanism numbers are explained at page 778.
Paket 16:
Db2 server listening on port 60127 sends info: "I as Db2 server support only 3 = UserID and Password (so without encryption) and also I support 5 = Userid and Password and New Password (To simplify: 5 = the same as 3 plus also changing password)."
Packet 18:
Db2 client from port 62233 sends data to Db2 server on port 60127 with: "I am using Security Mechanism 3 = UserID and Password (that is without enryption)"
Conclusion: From this data I see Db2 client supports userID/password encryption, but Db2 server does not support encryption. The cause of not supporting encryption should be investigated at Db2 server site.
It would be nice if Security Mechanism information would be easily readable from Wireshark itself digging into DRDA documentation.
What is the current bug behavior?
Security Mechanism is not decoded.
What is the expected correct behavior?
Decode Security Mechanism.
Sample capture file
Build information
Version 4.0.4 (v4.0.4-0-gea14d468).
Compiled (64-bit) using Microsoft Visual Studio 2022 (VC++ 14.32, build 31332), with GLib 2.72.3, with PCRE2, with zlib 1.2.12, with Qt 5.15.2, with libpcap, with Lua 5.2.4, with GnuTLS 3.6.3 and PKCS #11 (closed) support, with Gcrypt 1.10.1, with Kerberos (MIT), with MaxMind, with nghttp2 1.46.0, with brotli, with LZ4, with Zstandard, with Snappy, with libxml2 2.9.14, with libsmi 0.4.8, with QtMultimedia, with automatic updates using WinSparkle 0.5.7, with AirPcap, with SpeexDSP (using bundled resampler), with Minizip, with binary plugins.
Running on 64-bit Windows 10 (21H2), build 19044, with Intel(R) Core(TM) i7-3770 CPU @ 3.40GHz (with SSE4.2), with 16173 MB of physical memory, with GLib 2.72.3, with PCRE2 10.40 2022-04-14, with Qt 5.15.2, with Npcap version 1.71, based on libpcap version 1.10.2-PRE-GIT, with c-ares 1.18.1, with GnuTLS 3.6.3, with Gcrypt 1.10.1, with nghttp2 1.46.0, with brotli 1.0.9, with LZ4 1.9.3, with Zstandard 1.5.2, without AirPcap, with light display mode, without HiDPI, with LC_TYPE=English_Slovenia.utf8, binary plugins supported.