Wireshark
the world's foremost network protocol analyzer
Wireshark-users: Re: [Wireshark-users] docsis problems
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 3 Dec 2007 18:31:25 -0800
On Dec 2, 2007, at 2:11 PM, Guy Harris wrote:
What were the machines on the Ethernet on which you were sniffing? Ifthe only machines were the Cisco CMTS and the machine running Wireshark,you might want to ask Cisco why, for example, frame 10 of your captureis an Ethernet packet with a DHCP request coming from some type of cabledevice and frame 11 appears to be that packet forwarded as a DOCSIS packet (and with the UDP checksum added, probably by the Cisco CMTS).
...or if, when capturing, you specified, in the "cable monitor" command on the CMTS, both "packet-type data ethernet" and "packet-type data docsis", you'll probably get *two* copies of every packet, one with a DOCSIS header (which Wireshark can handle when it's decoding the file as DOCSIS) and one with an Ethernet header (which, obviously, Wireshark can't handle when it's decoding the file as DOCSIS).
*D*O* *N*O*T* enable both "packet-type data ethernet" and "packet-type data docsis" on the CMTS. Enable "packet-type data docsis" and "packet-type mac", and, when you capture, select Capture -> Options and, if the dialog box lets you, select "Data Over Cable Service Interface Specification" as the "Link-layer header type". Doing so means that Wireshark will *automatically* interpret all packets as DOCSIS; you won't have to set a preference to do so.
(If you're capturing with tcpdump, dumpcap, or TShark, specify "-y DOCSIS" as one of the command-line arguments; that's the command-line equivalent.)
- References:
- Re: [Wireshark-users] docsis problems
- From: Guy Harris
- Re: [Wireshark-users] docsis problems
- Prev by Date: Re: [Wireshark-users] MPEG2TS over UPD not decoded
- Next by Date: Re: [Wireshark-users] MPEG2TS over UPD not decoded
- Previous by thread: Re: [Wireshark-users] docsis problems
- Next by thread: [Wireshark-users] Capture Filter
- Index(es):