Why is Mikrotik router using DRDA protocol?

DRDA
retag add tags

Hello, I am seeing a lot of traffic on protocol DRDA between my router (10.10.10.1) and laptop (10.10.10.254)

Any idea what this is? I have searched and cannot find much, all I found is linked at the bottom

I am using a Mikrotik hEX RB750Gr3 running router OS version 6.49.10 (stable)

The other day I also noticed TDS / TDS5 packets going between the router and laptop (but very few, like 1 or 2 at a time very infrequently)

Link1: https://thenetworkguy.typepad.com/nau... Here you'll see the Info column usually has info, all of mine are Unknown

Link2: https://gitlab.com/wireshark/wireshar... Here again something other than Unknown in the info column.

See screenshot here: https://ibb.co/vxZmj6C

UPDATE: Thanks to Chuckc for the helpful posts, I disabled DRDA in the list of enabled protocols and now Wireshark decodes the packets as TCP so it looks like it was a case of it incorrectly seeing this packets as DRDA

span

asked 2024-01-16 15:46:26 +0000, updated 2024-01-17 08:30:34 +0000

edit flag offensive 0 remove flag close merge delete

Comments

Wireshark is a packet analyser. It can attempt to tell you what is in the packets but not why they are sent.

grahamb (2024-01-16 15:53:06 +0000) edit

Please update question with output of wireshark -v or Help -> About Wireshark:Wireshark.

Chuckc (2024-01-16 17:34:54 +0000) edit

The Wireshark Wiki Sample Captures has a DRDA capture:

drda_db2_sample.tgz (libpcap) DRDA trace from DB2.

Chuckc (2024-01-16 21:25:59 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

It's most likely not DRDA which is a heuristic decoder.

epan/dissectors/packet-drda.c:

heur_dissector_add("tcp", dissect_drda_heur, "DRDA over TCP", "drda_tcp", proto_drda, HEURISTIC_ENABLE);

It's tough to confirm without a capture file. You can work through the code to see why your packets are a match.
epan/dissectors/packet-drda.c:

dissect_drda_heur(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
{
    conversation_t * conversation;
    if (tvb_captured_length(tvb) >= 10)
    {
        /* The first header is 6 bytes long, so the length in the second header should 6 bytes less */
        guint16 cOuterLength, cInnerLength;
        cOuterLength = tvb_get_ntohs(tvb, 0);
        cInnerLength = tvb_get_ntohs(tvb, 6);
        if ((tvb_get_guint8(tvb, 2) == DRDA_MAGIC) && ((cOuterLength - cInnerLength) == 6))
        {
            /* Register this dissector for this conversation */
            conversation = find_or_create_conversation(pinfo);
            conversation_set_dissector(conversation, drda_tcp_handle);

            /* Dissect the packet */
            dissect_drda_tcp(tvb, pinfo, tree, data);
            return TRUE;
        }
    }
    return FALSE;
}

Disable DRDA (Analyze -> Enabled Protocols...) to see which dissector grabs it next.

Chuckc

answered 2024-01-16 17:28:47 +0000

edit flag offensive 0 remove flag delete link

Comments

Also, the Magic: value displayed in the screen shot is invalid for DRDA.
Was updated in Cleanup DRDA dissector.

Chuckc (2024-01-16 17:37:02 +0000) edit

Thanks for the feedback, when I disable DRDA in the list of enabled protocols then most of the packets go to TCP so it seems it was maybe just incorrectly trying to decode them as DRDA

span (2024-01-16 20:19:11 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Why is Mikrotik router using DRDA protocol? edit

Comments

1 Answer

Comments