Michael O'Donnell said:
> What you need to do is to explicitly tell Ethereal to treat all captures
as DOCSIS captures. Select "Preferences" from the "Edit" menu, open up
the Protocols list, select "Frame", turn on the "Treat all frames as
DOCSIS frames" option, click "Save" and click "OK".
Note that if you're willing to build from source the current CVS version
of libpcap, and are either
1) willing to build from source a reasonably recent version of
Ethereal or tcpdump
or
2) on a platform where the current CVS version of libpcap builds a
shared library (probably just Linux and the BSDs, where OS X is one of the
BSDs, unless you're also using the GNU linker), and where libpcap is a
shared library, and where a reasonably recent version of tcpdump (3.8 or
later) or Ethereal (0.10.somethingIdon'tremember or later) is linked with
that shared library, *and* are willing to install that version of libpcap
in place of the currently-installed version (which might be the OS's
version)
you should be able to specify, when capturing on Ethernet devices, that
the packets should be treated as DOCSIS packets - there should be a
"Link-layer header type:" item in the "Capture Options" dialog box in
Ethereal, offering Ethernet and DOCSIS, and "tcpdump -L" should list
Ethernet and DOCSIS and should let you select DOCSIS with the "-y" flag.
Ethereal should be able to read those capture files as DOCSIS files
without having to specify that they're DOCSIS files.
(If this is from a Sigtek DOCSIS tracer, that won't work unless they've
recently modified their software to use the new DOCSIS link-layer type in
the libpcap files they write, but I suspect that if they wanted to they
could contribute code to Ethereal to let it *directly* read their capture
files rather than requiring them to be written as libpcap files....)
The command
editcap -T docsis {Ethernet capture file name} {DOCSIS capture file
name}
should, with recent versions of Ethereal (editcap is a tool that comes
with Ethereal), read an Ethernet capture file and write one out with the
DOCSIS link-layer type, so that such a file can be read as a DOCSIS file
without having to tell Ethereal to treat it as such.
> I have one further question is there a way to Save the Capture to a file
in a format that is either "Comma Separated" or "Tab Separated".
There's no built-in way, but I think people have come up with schemes for
generating those files.
We could probably implement something in Ethereal itself, but we'd need to
know what sort of "something" to implement; the capture itself is just a
bunch of records with time stamps, packet lengths, and raw packet data,
but presumably what you want is not raw packet data written out as a
comma-separated or tab-separated file, you presumably want one line for
each packet with the line containing a comma-separated or tab-separated
list of particular pieces of information from the *decoded* packet. If
so, what pieces of information would those be?