Issue
I have a few pcap files, I can see the memcache protocol in wireshark and its corresponding data, but when I use tshark to batch export data, it only shows one character(0x0b), why?
the command I use: tshark -Y "memcache contains set" -r input.pcap -T fields -e memcache.value Thank you! BTW, memcache key works fine. And I can't share the files here as they are confidential.
Solution
Works for me:
$tshark -r 3006-example.cap -Y "memcache.command==set" -T fields -e memcache.value
hello, world!
noreplyset
Test file: that attached to Wireshark bug 3467
I do note that 0x0b is not a printable ascii character. The memcache dissector assumes that the 'value' is an ascii string.
If you look at the 'value' field in the appropriate packet in your capture file, is it an ascii string ?
edit: looking at the memcache protocol spec, it appears that the 'value' field should be treated as "unstructured data" and not as an ascii string. Please feel free to file a bug report at bugs.wireshark.org
Answered By - willyo Answer Checked By - Marie Seifert (PHPFixing Admin)
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.