Wireshark-users: Re: [Wireshark-users] docsis problems

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Sun, 02 Dec 2007 14:11:39 -0800

admin2@xxxxxxxxxxxx wrote:

any one knows why (newest version) Wireshark cant handle Docsis packets ?

It can, but it can't handle a capture on an Ethernet that has both regular Ethernet packets and DOCSIS packets in Ethernet framing, of the sort that Cisco CMTS equipment puts on Ethernets for sniffing, because it has no way to determine whether a packet is real Ethernet or DOCSIS-in-low-level-Ethernet-framing.

That's what the capture you put into bug 2056 has. If you tell Wireshark to interpret all frames as DOCSIS frames, you *can* see some non-encapsulated-Ethernet DOCSIS packets; you also see raw Ethernet packets which appear to be malformed if you try to interpret them as DOCSIS frames.

When i snif on my Cisco CMTS e.g. DHCP req. from a Cablemodem, i can only
see the ip-pack. from the server.

What were the machines on the Ethernet on which you were sniffing? If the only machines were the Cisco CMTS and the machine running Wireshark, you might want to ask Cisco why, for example, frame 10 of your capture is an Ethernet packet with a DHCP request coming from some type of cable device and frame 11 appears to be that packet forwarded as a DOCSIS packet (and with the UDP checksum added, probably by the Cisco CMTS).

The rest packets are marked with : DOCSIS Mac specific[malformed packet.]

Only the ones that are raw Ethernet packets, rather than DOCSIS packets, are. There are other non-IP packets, including DOCSIS packets not containing Ethernet packets, visible in that capture.