[DOCS-5145] Highlight the default assumption of port 27017 for Wireshark protocol definition Created: 01/Apr/15  Updated: 11/Jan/17  Resolved: 07/Jul/15

Status: Closed
Project: Documentation
Component/s: ecosystem
Affects Version/s: None
Fix Version/s: 01112017-cleanup

Type: Task Priority: Major - P3
Reporter: Akira Kurogane Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Participants:
Days since reply: 8 years, 32 weeks, 2 days ago

 Description   

I was using wireshark to analyze a pcap file received from someone else. The dump I had been given came with it's own issues, plus did not use the standard 27017 port. After getting through the other issues I did not recall the information about the port preference on /ecosystem/tools/wireshark/ (which I had read). I then wasted over an hour trying to understand why none of the "mongo.*" filter expressions worked. Eventually I read the source code of wireshark and noticed that there was an adjustable preference for the port of "mongo" protocol.

By defintion a 'protocol' shouldn't be tied to a single port, so experienced network debuggers like me are going to be fooled by that often enough. As such this gotcha should be highlighted better.

Instead of

Wireshark looks for port 27017 and infers MongoDB protocol from this. If you are running on a different port number, go to Preferences...Protocols...Mongo and set your port number, and it should then interpret the data.

There should be a 'warning! trap!' sense in the message. I propose:

N.b. In "Preferences" -> "Protocols" -> "Mongo" you must first set the TCP port of the mongo db server (or client) you are examining. The Mongo protocol definition included in Wireshark relies on the assumption that the traffic occurs on only one TCP port. All filter expressions will return empty if you are using the wrong port value preference.

Even though in truth many users do not have to set it first because they will be examining mongo traffic on the default 27017 port, reading that will put into everyone's minds that they have to go and look at that preference value once.



 Comments   
Comment by Akira Kurogane [ 07/Jul/15 ]

Thanks Kay!

Comment by Githook User [ 07/Jul/15 ]

Author:

{u'username': u'kay-kim', u'name': u'kay', u'email': u'kay.kim@10gen.com'}

Message: DOCS-5145 tweak sentence in note for wireshark
Branch: master
https://github.com/mongodb/docs-ecosystem/commit/fd7d0747a0cce3d0eb78da96a3639fa9c94c1a3c

Comment by Githook User [ 07/Jul/15 ]

Author:

{u'username': u'kay-kim', u'name': u'kay', u'email': u'kay.kim@10gen.com'}

Message: DOCS-5145 tweak wireshark and mongodb port
Branch: master
https://github.com/mongodb/docs-ecosystem/commit/b881e6973e65f49d46b06ded1eebd98ee51b0e2c

Comment by Githook User [ 07/Jul/15 ]

Author:

{u'username': u'kay-kim', u'name': u'kay', u'email': u'kay.kim@10gen.com'}

Message: DOCS-5145 wireshark and mongodb port
Branch: master
https://github.com/mongodb/docs-ecosystem/commit/e8f3aec8dc9174046915db65d909ca03d31bc613

Comment by Akira Kurogane [ 01/Apr/15 ]

An extra thing to add:

If you are using tshark (the command line interface) rather than the wireshark GUI you can check which port is set using the following command:

:~$ tshark -G currentprefs | grep mongo
mongo.tcp.port: 27017

Generated at Thu Feb 08 07:49:43 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.