I was using wireshark to analyze a pcap file received from someone else. The dump I had been given came with it's own issues, plus did not use the standard 27017 port. After getting through the other issues I did not recall the information about the port preference on /ecosystem/tools/wireshark/ (which I had read). I then wasted over an hour trying to understand why none of the "mongo.*" filter expressions worked. Eventually and noticed that there was an adjustable preference for the port of "mongo" protocol.
By defintion a 'protocol' shouldn't be tied to a single port, so experienced network debuggers like me are going to be fooled by that often enough. As such this gotcha should be highlighted better.
There should be a 'warning! trap!' sense in the message. I propose:
Even though in truth many users do not have to set it first because they will be examining mongo traffic on the default 27017 port, reading that will put into everyone's minds that they have to go and look at that preference value once.