Dissecting SAP DIAG Protocol – First Client Package

In the previous article about support bits, I’ve already explained that the first information that’s get sent to the server is the support bits.

Let’s examine the package at precisely the time before the client sent the first package :

You can see from the red box here that the support bits is indeed exist at the near end of package data. You can also see that support bits record is just a small part of the package.

Most of the other records is used internally in the communication sessions. Luckily, some of the important fields can be deciphered by activating the level 3 trace of sapgui client.

The size of the package can be determined from the trace information, and in this particular case is 262 dec (0x106 in hex) :

realloc TmIWrite-netout from 0 to 262 bytes.

And from the trace information, it consists of three part, called the dp = 200 bytes, th = 8 bytes and data record = 54 bytes :

fill buf with heads (dp 200 th 8) and data (54)

When trace level 3 is activated, the sapcomni.dll module will call the DpRqTrace, that will decipher some of the important information in package fields.

DWORD at offset 0x00 to 0x03 denotes request id, this is documented in SAP as dispatch request type. It has the value that is described in SapComNi!DpRqTxt as :

0x00000000 = NOWP
0x00000001 = DIA
0x00000002 = UPD
0x00000003 = ENQ
0x00000004 = BTC
0x00000005 = SPO
0x00000006 = UP2

Byte at offset 0x04 has two possible values, i.e. 0x0A and 0x0B. Seems that the value from SAP GUI terminal always end up with 0x0A, changing this value to 0x0B will immediately causes this error :

this retcode should be handled by caller of DPTM-layer

Offset 0x05 is the sender id, it is usually blank for sapgui client, other value description can be obtained from DpRqSenderIdToString :

0x01 = DISPATCHER
0x02 = WORK_PROCESS
0x04 = REMOTE_TERMINAL
0x20 = APPC_TERMINAL
0x40 = APPC_GATEWAY
0xC8 = ICMAN
0xC9 = IC_MONITOR
0xCB = LCOM

Byte at offset 0x06 is described in DpRqTrace as action type :

0x01 = SEND_TO_DP
0x02 = SEND_TO_WP
0x03 = SEND_TO_TM
0x04 = SEND_TO_APPC
0x05 = SEND_TO_APPCTM
0x06 = SEND_MSG_TYPE
0x07 = SEND_MSG_REQUES
0x08 = SEND_MSG_REPLY
0x09 = SEND_MSG_ONEWAY
0x0A = SEND_MSG_ADMIN
0x0B = WAKE_UP_WPS
0x0C = SET_TIMEOUT
0x0D = DEL_SCHEDULE
0x0E = ADD_SOFT_SERV
0x0F = SUB_SOFT_SERV
0x10 = SHUTDOWN
0x11 = SEND_TO_MSGSERV
0x12 = SEND_TO_PLUGIN

Byte at offset 0x07 should be unused

Byte at offset 0x08 is the req_info data :

0x00 = Undefined
0x01 = LOGIN
0x02 = LOGOFF
0x04 = SHUTDOWN
0x08 = GRAPHIC_TM
0x10 = ALPHA_TM
0x20 = ERROR_FROM_APPC
0x40 = CANCELMODE
0x80 = MSG_WITH_REQ_BUF

Possible values for byte at offset 0x09 :

0x01 = MSG_WITH_OH
0x02 = BUFFER_REFRESH
0x04 = BTC_SCHEDULER
0x08 = APPC_SERVER_DOWN
0x10 = MS_ERROR
0x20 = SET_SYSTEM_USER
0x40 = DP_CANT_HANDLE_REQ
0x80 = DP_AUTO_ABAP

Possible values for byte at offset 0x0A :

0x01 = DP_APPL_SERV_INFO
0x02 = DP_ADMIN
0x04 = DP_SPOOL_ALRM
0x08 = DP_HAND_SHAKE
0x10 = DP_CANCEL_PRIV
0x20 = DP_RAISE_TIMEOUT
0x40 = DP_NEW_MODE
0x80 = DP_SOFT_CANCEL

Possible values for byte at offset 0x0B :

0x01 = DP_TM_INPUT
0x02 = DP_TM_OUTPUT
0x04 = DP_ASYNC_RFC
0x08 = DP_ICM_EVENT
0x20 = DP_AUTO_TH
0x40 = DP_RFC_CANCEL
0x80 = DP_MS_ADM

DWORD at offset 0x0C to 0x0F is tid

WORD at offset 0x10 to 0x11 is uid

BYTE at offset 0x12 is mode

DWORD at offset 0x14 to 0x17 is wp_id

DWORD at offset 0x18 to 0x1B is wp_ca_blk

DWORD at offset 0x1C to 0x1F is appc_ca_blk

DWORD at offset 0x20 to 0x23 is len

BYTE at offset 0x24 is new_stat or wp status field :
0x00 = NO_CHANGE
0x01 = WP_SLOT_FREE
0x02 = WP_WAIT
0x04 = WP_RUN
0x08 = WP_HOLD
0x10 = WP_KILLED
0x20 = WP_SHUTDOWN

WORD at offset 0x2C to 0x2D is rq_id

So, apart from support bits, most of the connection parameter is un-initialized at the first time the client initiate communication session. This is indicated by having the 0xFFFFFFFF value for most of the fields.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: