MONGO dissector not applied

asked 2018-09-20

updated 2018-09-20 17:00:27 +0000

Jaap

I'm on windows 7, wireshark build Version 2.6.3 (v2.6.3-0-ga62e6c27) , with npcap, and I'm using the loopback interface to capture some mongodb traffic. I can see the traffic, but the MONGO dissector is not being applied. I've checked under Analyze -> Enabled Protocols and MONGO is clearly enabled. I'm also pretty sure the data is good as I can see records being written to the database. I've seen this work in Linux without any probs too.

Under Help -> about in the plugins tab, these are the plugins:

  • ethercat.dll
  • gryphon.dll
  • irda.dll
  • l16mono.dll
  • mate.dll
  • opcua.dll
  • profinet.dll
  • stats_tree.dll
  • transum.dll
  • unistim.dll
  • usbdump.dll
  • wimax.dll
  • wimaxasncp.dll
  • wimaxmacphy.dll

Am I missing some library? Or some setting?

Ok, managed to get this working by right clicking and selecting 'decode as ...'. However not sure why this wasn't detected automagically,

lJoublanc ( 2018-09-20 )

answered 2018-09-20

grahamb

The Mongo dissector registers to dissect traffic on tcp port 27017, but has a preference setting to modify that if required. As you have found out you can also use "Decode As ..." to force a temporary override of the port. There is no heuristic port detection for the mongo dissector.

Presumably the mongo traffic you are capturing is NOT running on the default mongo port of 27017, or you have changed the mongo dissector port preference.

