Wireshark mailing list archives
Re: [Wireshark-users] Displaying Cisco Cable Monitor and Intercept Traffic
From: Christopher Maynard <Chris.Maynard () gtech com>
Date: Wed, 25 Aug 2010 18:04:09 +0000 (UTC)
Martin Dubuc <martind1111@...> writes:
The traffic coming out of the CMTS LAN analyzer port looks like this: | 14-byte Ethernet header | 20-byte IP header | 8-byte UDP header v ^ | 14-byte Ethernet header | 20-byte IP header | ... The first part (Ethernet/IP/UDP header) is fabricated by the CMTS. The second
part (Ethernet/IP/...) is the end-user traffic.If I load a PCAP file with this
type of traffic in Wireshark, Wireshark displays the Ethernet/IP/UDP header as
one would expect, but it does not decode the second part, the end-user traffic.
It displays the end-user traffic as one big data blob.I am surprised that
Wireshark is not able to decode the second part, the end-user traffic. I am not
sure if we need to do some sort of configuration, or if we should write a
special dissector that can handle this type of encapsulation.Martin
Maybe UDP port X -> Ethernet "Decode As" capability would work for you? That
would require a patch to the Ethernet dissector, something like:
Index: packet-eth.c
===================================================================
--- packet-eth.c (revision 33919)
+++ packet-eth.c (working copy)
@@ -658,4 +658,5 @@
dissector_add("ethertype", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
dissector_add("chdlctype", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
dissector_add("gre.proto", ETHERTYPE_ETHBRIDGE, eth_withoutfcs_handle);
+ dissector_add("udp.port", 0, eth_maybefcs_handle);
}
That should allow Ethernet to show up as Transport level "Decode As" target, so
you should then be able to right-click on a packet, choose "Decode As", then
assign UDP port X to be decoded as Ethernet. I'm not sure if
eth_maybefcs_handle is the right one to use though; maybe eth_withoutfcs_handle
would be better? There might be another, better alternative, but this is just
one idea that looks like it would work for you.
- Chris
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users () wireshark org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Displaying Cisco Cable Monitor and Intercept Traffic Martin Dubuc (Aug 25)
- Re: [Wireshark-users] Displaying Cisco Cable Monitor and Intercept Traffic Christopher Maynard (Aug 25)
- Re: Displaying Cisco Cable Monitor and Intercept Traffic Martin Dubuc (Aug 25)
- Re: [Wireshark-users] Displaying Cisco Cable Monitor and Intercept Traffic Christopher Maynard (Aug 25)
- Re: Displaying Cisco Cable Monitor and Intercept Traffic Martin Dubuc (Aug 25)
- Re: Displaying Cisco Cable Monitor and Intercept Traffic Guy Harris (Aug 25)
- Re: Displaying Cisco Cable Monitor and Intercept Traffic Martin Dubuc (Aug 25)
- Re: [Wireshark-users] Displaying Cisco Cable Monitor and Intercept Traffic Christopher Maynard (Aug 25)
- Re: Displaying Cisco Cable Monitor and Intercept Traffic Martin Dubuc (Aug 26)