Wireshark-users: Re: [Wireshark-users] docsis problems

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 3 Dec 2007 18:31:25 -0800

On Dec 2, 2007, at 2:11 PM, Guy Harris wrote:

What were the machines on the Ethernet on which you were sniffing?  If
the only machines were the Cisco CMTS and the machine running Wireshark,
you might want to ask Cisco why, for example, frame 10 of your capture
is an Ethernet packet with a DHCP request coming from some type of cable
device and frame 11 appears to be that packet forwarded as a DOCSIS
packet (and with the UDP checksum added, probably by the Cisco CMTS).

...or if, when capturing, you specified, in the "cable monitor" command on the CMTS, both "packet-type data ethernet" and "packet-type data docsis", you'll probably get *two* copies of every packet, one with a DOCSIS header (which Wireshark can handle when it's decoding the file as DOCSIS) and one with an Ethernet header (which, obviously, Wireshark can't handle when it's decoding the file as DOCSIS).

*D*O* *N*O*T* enable both "packet-type data ethernet" and "packet-type data docsis" on the CMTS. Enable "packet-type data docsis" and "packet-type mac", and, when you capture, select Capture -> Options and, if the dialog box lets you, select "Data Over Cable Service Interface Specification" as the "Link-layer header type". Doing so means that Wireshark will *automatically* interpret all packets as DOCSIS; you won't have to set a preference to do so.

(If you're capturing with tcpdump, dumpcap, or TShark, specify "-y DOCSIS" as one of the command-line arguments; that's the command-line equivalent.)