Wireshark-users: Re: [Wireshark-users] DOCSIS
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 24 Aug 2010 12:06:47 -0700
On Aug 24, 2010, at 11:26 AM, Martin Dubuc wrote:

> I am trying to decode the packet output from a Cisco CMTS with Wireshark, but I haven't succeeded doing so up to now. The packet output was the result of capturing packets out of the analyzer port after configuring the CMTS using the cable monitor and intercept commands (my assumption is that the packet output is in a DOCSIS 1.0 format). I have read in one of the Wireshark documentation page that there is a DOCSIS decode option in the Edit/Preferences... dialog under the Frame protocol, but this does not match my packet output. When I enable this option, WIreshark interprets the first 6 bytes of each frames as DOCSIS header, then the rest as ethernet frames.
> 
> The packet output that I get from my Cisco CMTS is formatted as follows:
> 
> 14-byte Ethernet header
> 20-byte IP header
> 8-byte UDP header
> 14-byte Ethernet header
> 20-byte IP header
> ...
> 
> I believe that the first 42 bytes is what the Cisco CMTS prepends to the actual user traffic. I would like Wireshark to strip these 42 bytes on the display so that I can zoom in on the actual user traffic.
> 
> First of all, I would like to know if this format is actually DOCSIS or not.

If that's truly what the packet looks like - i.e., the first 14 bytes look like a 6-byte Ethernet destination address followed by a 6-byte Ethernet source address followed by 2 bytes of 0x0800, and the next 20 bytes look like an IP header, starting with 0x45 (IPv4, 20 bytes), etc., then that is *NOT* DOCSIS.  It's some form of tunneling of Ethernet over some UDP protocol.

> I would then like to know how I can tell the system to ignore the 42 bytes when displaying the packets.

Try running the editcap command on the capture file:

	editcap -T ether {capture file} ethernet-capture.pcap

and try reading ethernet-capture.pcap; it should show you the first 14-byte Ethernet header, followed by the 20-byte IP header, followed by the 8-byte UDP header, and, if the protocol used for encapsulation is supported by Wireshark, it should show you the second Ethernet header and IP header.