Wireshark-dev: Re: [Wireshark-dev] DOCSIS is not one of the DLTs supported by this device).
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 7 Dec 2009 16:49:32 -0800
On Dec 5, 2009, at 12:28 PM, Guy Harris wrote:

> Is that a message that was printed when you ran tcpdump?  (The  
> equivalent message in Wireshark/TShark/dumpcap is "That DLT isn't one  
> of the DLTs supported by this device".)

Actually, in some places, you can get the message in question from Wireshark/TShark/dumpcap; it means the same thing there as it does in tcpdump.

> If so, that's not supported.  "-y DOCSIS" is supported on Ethernet  
> because some Cisco cable modem head-end equipment can put DOCSIS  
> frames onto an Ethernet cable plugged into the device; what it does is  
> uses the very low-level framing mechanism of Ethernet, but, instead of  
> putting Ethernet frames, with a standard Ethernet header, on the  
> cable, it puts DOCSIS frames on the cable.  That flag causes the link- 
> layer type of the capture to be marked as DOCSIS, not Ethernet, so  
> that the capture will be properly interpreted by, for example,  
> Wireshark and TShark.  Cisco doesn't, as far as I know, support  
> putting DOCSIS frames onto 802.11 networks in that fashion.

One thing this means is that if you're trying to see the raw DOCSIS traffic on your cable modem at home (or at work, if "work" means a company getting its Internet access from Comcast, Time Warner, Rogers, etc., rather than meaning Comcast, Time Warner, Rogers, etc. :-)), you can't do it that way.  The cable modem will put the DOCSIS data packets onto your Ethernet/Wi-Fi/etc. as data packets, and will process the non-data DOCSIS packets internally and not put them on your network.  *Maybe* there's a cable modem out there that supports some sort of "monitoring" port where you can see the DOCSIS packets from the cable side of the network, but, if so, it'll probably be a bit more complicated to tap that.