Skip to content

Instantly share code, notes, and snippets.

@warmans

warmans/gist:8c31948fdb2b23127e08

Last active August 29, 2015 14:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save warmans/8c31948fdb2b23127e08 to your computer and use it in GitHub Desktop.
Save warmans/8c31948fdb2b23127e08 to your computer and use it in GitHub Desktop.
Download ZIP
Decode cassandra thrift message with PHP and tcpdump
Raw
gistfile1.md

  1. Capture some data using tcpdump:

    tcpdump -enx -w cassandra-dump port 9160

  2. Open the file with wireshark and find a packet where the data looks related to casandra e.g. it has multiget_slice or similar commands near the start of the data.

  3. In wireshark select the data part of the packet and right click -> copy -> bytes -> hex stream

  4. Now you need a thrift library to decode the data. thobbs/phpcassa should work.

  5. Write a script to decode the data:

//the phpcassa autoloader
require_once(dirname(__DIR__).'/lib/autoload.php');

$serialized = hex2bin("800100010000000..."); //paste the hex stream in here

$transport = new \Thrift\Transport\TMemoryBuffer($serialized);
$protocol = new \Thrift\Protocol\TBinaryProtocol($transport);

$rseqid = 0; $fname = null; $mtype = 0;
$protocol->readMessageBegin($fname, $mtype, $rseqid);

//this will contain the type of operation which dictates which class can decode the data
echo "$fname\n";

//in this case it's a multiget_slice 
$result = new \cassandra\Cassandra_multiget_slice_args();
$result->read($protocol);

var_dump($result);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment