Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 2056] Problems sniffing on DOCSIS packets

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Sun, 2 Dec 2007 23:16:58 +0000 (GMT)
http://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2056





------- Comment #3 from guy@xxxxxxxxxxxx  2007-12-02 23:16 GMT -------
It *CAN* dissect the DOCSIS frames if you set the "Treat all frames as DOCSIS"
option (which I assume you did, as you described Wireshark as reporting some
packets as being "DOCSIS Mac specific")!

It just can't dissect *raw Ethernet* frames in a capture if it's told to treat
all frames as DOCSIS frames - because raw Ethernet frames are not DOCSIS frames
and will appear to be malformed frames if you try to decode them as DOCSIS
frames.

I've split the capture you attached into two capture files, one containing the
Ethernet frames from the capture, and one containing the DOCSIS frames.  I gave
the latter capture file a link-layer type of DOCSIS, so Wireshark doesn't have
to be set to "Treat all frames as DOCSIS" to recognize the frames; turn that
preference off, and then read both of the files and compare them.  It appears
that the IP and ARP packets are in *both* captures - i.e., they appear both as
regular Ethernet packets and DOCSIS packets - and that the DOCSIS MAC
Management packets appear to be Ethernet loopback packets.

The Cisco documentation on the "cable monitor" command:

   
http://www.cisco.com/univercd/cc/td/doc/product/cable/cab_rout/cmtsfg/ufg_cmon.htm#wp1024968

seems to indicate that you can configure multiple "cable monitor" options.  If
you did multiple "cable monitor" commands, and one of them had the option
"packet-type data ethernet", that might cause *two* copies of captured packets
to be put onto the Ethernet, one with an Ethernet header and one with a DOCSIS
header.  *DO NOT* do "packet-type data ethernet"; do "packet-type data docsis",
along with "packet-type mac".  I.e., *IGNORE* their "Cable Monitor
Configuration Example (Ethernet, MAC-Layer, and DOCSIS-Data Packets)" example -
that will confuse Wireshark (and would confuse any other network analyzer that
could be configured to treat Ethernet packets as DOCSIS, but I don't know if
there are any others - Ethereal doesn't count, as that's just the name
Wireshark had earlier, it's the same program).  Just do "packet-type data
docsis" and "packet-type mac".

Also, when capturing, try using the Capture -> Options menu item to start the
capture, and set the "Link-layer header type" option in that dialog to "Data
Over Cable Service Interface Specification"; that'll cause Wireshark to mark
the capture file as a DOCSIS file, so you don't have to set the "Treat all
frames as DOCSIS frames" preference.


-- 
Configure bugmail: http://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube