Skip to Content

Memcache Protocol Dissector for Wireshark

Memcache Protocol Dissector for Wireshark

Many of you have used Wireshark, which is probably the most popular network protocol analyzer out there. It is a very versatile tool - but as far as I can tell, it does not have a textual protocol dissector for memcache.

Since there are many benefits for getting a deeper understanding of memcache traffic, we developed a memcache textual protocol dissector for Wireshark. The dissector can be used to view memcache traffic on port 11211 using Wireshark. The dissector will also be contributed back to the Wireshark community.

You can get the latest Wireshark source from here. However, we've tested our patch only on version wireshark-1.1.4-SVN-27997.

Things you need to do to get Wireshark running:

  1. Download and untar wireshark source version wireshark-1.1.4-SVN-27997.tar.gz. wireshark-1.1.4-SVN-27997 is a developer's version of wireshark source that we used to implement the dissector.
  2. Apply the patch memcache-protocol-dissector to the source.
  3. Configure and build the source.
  4. If steps 1,2 & 3 go through fine you should be able to run wireshark from your source directory.

Quick install steps:
After downloading the source tar ball:
> tar -xzvf wireshark-1.1.4-SVN-27997.tar.gz
> cd wireshark-1.1.4-SVN-27997
> patch -p1 < memcache-protocol-dissector
> ./configure
> make
> ./wireshark
Alternative to the patch file:

  1. 1. Download & untar the latest wireshark source from here.
  2. Copy the packet-memcache.c file into epan/dissectors/packet-memcache.c in your source directory.
  3. Try the configure and make steps as mentioned above.

Supported platforms:
We tested the wireshark dissector on the following Linux platforms:

  1. Linux 2.6.18-92.1.10.el5 #1 SMP x86_64 GNU/Linux
  2. Linux 2.6.24-21-generic #1 SMP x86_64 GNU/Linux

Future Implementation:

  1. 'incr', 'decr' and 'stats sizes' responses are not implemented. So, these responses get displayed as TCP/UDP packets rather than MEMCACHE.
  2. Improve the PDU reassembly code.
  3. Handle truncated packets dissection more gracefully.

Feel free to use it and any feedback on this is much appreciated.

Rama Chitta