This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Memcache and TCP

0

When I do a scan on Wireshark. The protocol Memcache comes up at least 100 times every second. Only responding and coming from my PC, none other on the network.

Also noticing (my computer only) that a lot of TCP protocols. lots, There are over 270,000 Protocols within 10 minutes, mostly belonging to TCP and Memcache.

Any help to what this could be would be appreciated, I think that this is the reason my network may be slower than it should be.

I should also add, some of the TCP repeatedly go to a verizon website, I never wen't with Verizon before, nobody in the household has either. possibly a virus?

asked 09 Sep '13, 21:46

Zefeldo's gravatar image

Zefeldo
1112
accept rate: 0%

edited 09 Sep '13, 21:48

The protocol Memcache comes up at least 100 times every second

TCP or UDP, source port or destination port?

There are over 270,000 Protocols within 10 minutes,

by 'protocols' you mean different TCP/UDP connections or packets?

(10 Sep '13, 00:01) Kurt Knochner ♦

oh, sorry, the protocols, i meant packets but 90% of them are the protocol TCP or Memcache.

random ports from different packets:

Memcache - Src port: memcache (11211), dst port: 33929 
TCP - Src port: (10378), Dst Port: bacula-sd (9103) 
TCP - Src port: rbd-dsb-disp (1571), Dst Port: https (443)

if you need more i can provide, i hope none of these may end up accidentally being myself going to a website, pretty sure none are, pretty new to wireshark (will learn in time) thanks for the help

(10 Sep '13, 10:22) Zefeldo

if you need more i can provide,

ports are good, IP addresses are better.

i hope none of these may end up accidentally being myself going to a website,

impossible to tell without the capture file or at least some parts of it.

(10 Sep '13, 15:09) Kurt Knochner ♦

I suppose I will upload a file if somebody would like to view it, i'll make sure my computer is the only computer on the network atleast, other than my game consoles.

(17 Sep '13, 20:20) Zefeldo

Go ahead. I'll check it.

(18 Sep '13, 00:25) Kurt Knochner ♦

sorry for the long wait for a response, i tried to add a download link, but (can't remember the name of it) marked it as spam (from this website) anyway, here it is http://www.mediafire.com/download/va1a541mluia55v/Network.pcapng

(16 Oct '13, 17:53) Zefeldo
showing 5 of 6 show 1 more comments

One Answer:

0

Looks like BitTorrent traffic to me. Check your bittorrent client to see if it is running while you're capturing data, and if it uses UDP port 11211 as its data port. I guess Wireshark gets confused because it thinks that UDP 11211 is MEMCACHE while it isn't. It's just a coincidence that the other protocol (I guess BitTorrent) is set to use that port. If you want to continue capturing while using that port for protocols other than MEMCACHE you might want to change the port setting of the MEMCACHE protocol decoder in the preferences, or disable it completely (Analyze -> Enabled Protocols -> uncheck "MEMCACHE").

Regarding the 270,000 protocols in 10 minutes - this is just an interpretation error. Clients use ephemeral ports for communicating with servers, and Wireshark labels them according to the services file. So the client ports get funny protocol labels most of the time even though it is not using the protocol at all. You might want to disable the "resolve transport names" option in the name resolution settings of your preferences to avoid further confusion.

answered 16 Oct '13, 22:17

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

edited 16 Oct '13, 22:19