DRDA stands for Distributed Relational Database Architecture, originated from IBM, and is published as an open standard by the Open Group. DRDA in an application layer protocol that encapsulates SQL commands and responses for distributed transactions.
If you’ve got DB2 in your enterprise you’ve got DRDA. In theory, the standard is SQL agnostic but personally, I have only seen it in DB2 environments. I've analyzed it running on a wide variety of hardware and operating system platforms including Windows, UNIX, and z/OS.
Many of us that analyze packets, protocols, and flows for a living are familiar with the Tabular Data Stream (TDS) protocol used by SQL Server (Sybase and Microsoft) or the Transparent Network Substrate (TNS) protocol utilized by Oracle.
But understanding DRDA protocols and packets remains somewhat of a mystery. Perhaps it’s because as of this writing, commercial analyzers (designed for the Enterprise?) don’t decode it. This is a shame because DB2 has a significant market share when moving some serious data around in large Enterprises.
Fortunately there is a way: Wireshark. Yes, the open source analyzer for which CACE Technologies has led the effort n cleaning up and seriously enhancing it over the past couple of years (shoot, they hired the guy that was the big gun in fixing Ethereal bugs) and moving it into the mainstream.
I’m not here to sing the praises of Wireshark because like all analysis products, it can’t do everything. But when I needed to do some serious DB2 analysis, it was a lifesaver.
Soapbox: Decodes for the most part are commoditized. I wish the analysis vendors would get off their high horse, use Wireshark decodes, and give something back to the community by assisting in decode development. What a shocking idea! A vendor can save the value add for decodes that are proprietary or require a cost to license or they can add value to decodes by developing better expert systems. The DRDA specification has been out there for 10 years and it’s freely available!
Actually there are some high-end commercial offerings for the enterprise that do decode DRDA indirectly. Opnet comes to mind and they use the Wireshark decodes. Smart, huh? Niksun also utilizes Wireshark under the skin in some of their products. Compuware offers DRDA as part of an optional database analysis packet for Agentless.
DRDA is divided into two “architectures” 1) The Distributed Data Management (DDM) architecture which provides the command and reply structure and 2) The Formatted Data Object Content Architecture (FD:OCA) which gives us the data definition. The stuff you care about as a network analysis person looking at packet decodes is the former.
There are some 1000+ total pages of overview and details about DDM, so I’ll defer the reader to the spec. It’s really not that intimidating once you see and study it. And what better way to learn than to look at packet captures?
In my next blog we’ll do just that and take a closer look.