Displaying Cisco Cable Monitor and Intercept Traffic

[Martin Dubuc <martind1111 () gmail com>]

I have posted a message to this list yesterday, but am reposting today with
more details.

I would like to display traffic coming out of a Cisco CMTS LAN analyzer port
in Wireshark. This traffic is the result of configuring the CMTS with the
cable monitor and intercept commands. The cable intercept command is used to
capture all traffic that originates/terminates to a specific a MAC address.
The CMTS sends the resulting traffic encapsulated over UDP. The traffic
coming out of the CMTS LAN analyzer port looks like this:

|  14-byte Ethernet header
|  20-byte IP header
|  8-byte UDP header
v
^
| 14-byte Ethernet header
| 20-byte IP header
| ...

The first part (Ethernet/IP/UDP header) is fabricated by the CMTS. The
second part (Ethernet/IP/...) is the end-user traffic.

If I load a PCAP file with this type of traffic in Wireshark, Wireshark
displays the Ethernet/IP/UDP header as one would expect, but it does not
decode the second part, the end-user traffic. It displays the end-user
traffic as one big data blob.

I am surprised that Wireshark is not able to decode the second part, the
end-user traffic. I am not sure if we need to do some sort of configuration,
or if we should write a special dissector that can handle this type of
encapsulation.

Martin

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe