On Sun, Jun 23, 2002 at 04:58:58AM +0200, Joerg Mayer wrote:
> On Sun, Jun 23, 2002 at 03:39:05AM +0200, Joerg Mayer wrote:
> > I'Ve looked at this too and to me it looks like the first few bytes are
> > something DOCSIS specific and the rest looks like an ethernet frame (if
> > the first byte == c3 then few == 8, c0: 6, c2: 6). Just an idea.
>
> After looking at the docsis 1.1 spec (SP-RFIv1.1-I08-020301.pdf, printed
> page number 58ff, page in doc 76ff), I can see that the guess was ok.
That spec is, I infer, for stuff going over the cable; Anand spoke of
stuff going out over Ethernet.
The Cisco document says
Configuration Examples
Monitoring MAC Address Packets Examples
The following is a simple example of specifying cable monitor
command settings on a Cisco uBR7114 to examine certain types of
packets that represent suspicious activity on the network. You
direct the CMTS to forward these packets from the cable modem to
an interface. The external LAN packet analyzer receives the
packets from the interface, which is fastethernet0/0 in the
example. The LAN packet analyzer creates a byte-level view of
all the packets sent to it. Then you can monitor the LAN packet
analyzer to examine the packets.
Does this mean that the uBR7114 just spews the raw octets of the cable
modem frames, as received from the cable, onto the Ethernet, using it as
an octet pipe rather than as an Ethernet? I.e., in the second example:
Monitoring Ethernet, MAC-Layer, and DOCSIS-Data Packets Example
The following example sets up the CMTS with a time stamp to
monitor Ethernet, MAC-layer, and DOCSIS-data packets. The
packets are sent from the CMTS through a dedicated LAN port
(Ethernet2/0) to a PC with a LAN packet analyzer attached. The
cable monitor command allows you to trap and decode the network
traffic between the CMTS and the cable modems attached to the RF
line card.
In this example, you are monitoring the cable modem with the MAC
address of 0003.e3fa.5e8f. The packets are forwarded to the
Ethernet slot 2, port 0 interface for examination, which is
where the LAN packet analyzer is attached. The LAN packet
analyzer displays the dump of the packets.
...
For example, looking at the LAN packet analyzer's display
screen, you can see the following output for DOCSIS
encapsulation packets for one of the MAC frames of the device
being monitored:
LLC: ----- LLC Header -----
LLC:
LLC: DSAP Address = E2, DSAP IG Bit = 01 (Group Address)
LLC: SSAP Address = FA, SSAP CR Bit = 00 (Command)
LLC: I frame, N(R) = 71, N(S) = 47, POLL
LLC:
DLC: Frame padding= 43 bytes
ADDR HEX ASCII
0000:c0 00 00 1c ea 1d 00 03 fe e1 a0 54 00 03 e3 fa | ...........T....
0010:5e 8f 00 0a 00 00 03 01 04 00 00 03 00 00 00 8a | ^...............
0020:4d 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | Mn..............
0030:00 00 00 00 00 00 00 00 00 00 00 00 | ............
This is the analysis of the frame:
0010:5e 8f 00 0a 00 00 03 01 04 00 00 03 00 00 00 8a
03 - Control field-Unnumbered information frame
01 - Version-Defines the version of the MAC management protocol. Set to
1 for this version
04 - Type-RNG-REQ
does that mean that 0xc0 is the frame control byte:
11 00000 0
FC type FC parm EHDR_ON
(MAC specific header)
and 0x00 is the MAC_PARM byte, and 0x001c is the LEN (SID) field, and
0xea1d is the HCS? Those do, according to Table 6-6, carry RNG-REQ
upstream messages.
