DOCSIS

[Martin Dubuc <martind1111 () gmail com>]

I am trying to decode the packet output from a Cisco CMTS with Wireshark,
but I haven't succeeded doing so up to now. The packet output was the result
of capturing packets out of the analyzer port after configuring the CMTS
using the cable monitor and intercept commands (my assumption is that the
packet output is in a DOCSIS 1.0 format). I have read in one of the
Wireshark documentation page that there is a DOCSIS decode option in the
Edit/Preferences... dialog under the Frame protocol, but this does not match
my packet output. When I enable this option, WIreshark interprets the first
6 bytes of each frames as DOCSIS header, then the rest as ethernet frames.

The packet output that I get from my Cisco CMTS is formatted as follows:

14-byte Ethernet header
20-byte IP header
8-byte UDP header
14-byte Ethernet header
20-byte IP header
...

I believe that the first 42 bytes is what the Cisco CMTS prepends to the
actual user traffic. I would like Wireshark to strip these 42 bytes on the
display so that I can zoom in on the actual user traffic.

First of all, I would like to know if this format is actually DOCSIS or not.
I would then like to know how I can tell the system to ignore the 42 bytes
when displaying the packets.

Martin

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe