Re: DOCSIS

[Guy Harris <guy () alum mit edu>]

On Aug 24, 2010, at 12:06 PM, Guy Harris wrote:

> On Aug 24, 2010, at 11:26 AM, Martin Dubuc wrote:
>
> > I am trying to decode the packet output from a Cisco CMTS with Wireshark, but I haven't succeeded doing so up to 
> > now. The packet output was the result of capturing packets out of the analyzer port after configuring the CMTS using 
> > the cable monitor and intercept commands (my assumption is that the packet output is in a DOCSIS 1.0 format). I have 
> > read in one of the Wireshark documentation page that there is a DOCSIS decode option in the Edit/Preferences... 
> > dialog under the Frame protocol, but this does not match my packet output. When I enable this option, WIreshark 
> > interprets the first 6 bytes of each frames as DOCSIS header, then the rest as ethernet frames.

What do you see if you *don't* enable that option?

If you see:

> > 14-byte Ethernet header
> > 20-byte IP header
> > 8-byte UDP header

then just leave the option off.  (The option was put in because, at the time, that was the only way to see DOCSIS 
captures from that Cisco equipment properly; later, libpcap was enhanced so that, when capturing on Ethernet, you can 
specify "this is really DOCSIS", in which case the capture file will have a link-layer header type of DOCSIS and you 
don't have to set an option to interpret it as a DOCSIS capture.)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe