-
Type: Task
-
Resolution: Done
-
Priority: Major - P3
-
Affects Version/s: None
-
Component/s: ecosystem
-
Labels:None
I was using wireshark to analyze a pcap file received from someone else. The dump I had been given came with it's own issues, plus did not use the standard 27017 port. After getting through the other issues I did not recall the information about the port preference on /ecosystem/tools/wireshark/ (which I had read). I then wasted over an hour trying to understand why none of the "mongo.*" filter expressions worked. Eventually I read the source code of wireshark and noticed that there was an adjustable preference for the port of "mongo" protocol.
By defintion a 'protocol' shouldn't be tied to a single port, so experienced network debuggers like me are going to be fooled by that often enough. As such this gotcha should be highlighted better.
Instead of
Wireshark looks for port 27017 and infers MongoDB protocol from this. If you are running on a different port number, go to Preferences...Protocols...Mongo and set your port number, and it should then interpret the data.
There should be a 'warning! trap!' sense in the message. I propose:
N.b. In "Preferences" -> "Protocols" -> "Mongo" you must first set the TCP port of the mongo db server (or client) you are examining. The Mongo protocol definition included in Wireshark relies on the assumption that the traffic occurs on only one TCP port. All filter expressions will return empty if you are using the wrong port value preference.
Even though in truth many users do not have to set it first because they will be examining mongo traffic on the default 27017 port, reading that will put into everyone's minds that they have to go and look at that preference value once.