Wireshark-users: Re: [Wireshark-users] DOCSIS

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 24 Aug 2010 12:40:33 -0700
On Aug 24, 2010, at 12:06 PM, Guy Harris wrote:

> 
> On Aug 24, 2010, at 11:26 AM, Martin Dubuc wrote:
> 
>> I am trying to decode the packet output from a Cisco CMTS with Wireshark, but I haven't succeeded doing so up to now. The packet output was the result of capturing packets out of the analyzer port after configuring the CMTS using the cable monitor and intercept commands (my assumption is that the packet output is in a DOCSIS 1.0 format). I have read in one of the Wireshark documentation page that there is a DOCSIS decode option in the Edit/Preferences... dialog under the Frame protocol, but this does not match my packet output. When I enable this option, WIreshark interprets the first 6 bytes of each frames as DOCSIS header, then the rest as ethernet frames.

What do you see if you *don't* enable that option?

If you see:

>> 14-byte Ethernet header
>> 20-byte IP header
>> 8-byte UDP header

then just leave the option off.  (The option was put in because, at the time, that was the only way to see DOCSIS captures from that Cisco equipment properly; later, libpcap was enhanced so that, when capturing on Ethernet, you can specify "this is really DOCSIS", in which case the capture file will have a link-layer header type of DOCSIS and you don't have to set an option to interpret it as a DOCSIS capture.)