Wireshark-users: [Wireshark-users] Displaying Cisco Cable Monitor and Intercept Traffic
From: Martin Dubuc <martind1111@xxxxxxxxx>
Date: Wed, 25 Aug 2010 09:37:54 -0400
I have posted a message to this list yesterday, but am reposting today with more details.

I would like to display traffic coming out of a Cisco CMTS LAN analyzer port in Wireshark. This traffic is the result of configuring the CMTS with the cable monitor and intercept commands. The cable intercept command is used to capture all traffic that originates/terminates to a specific a MAC address. The CMTS sends the resulting traffic encapsulated over UDP. The traffic coming out of the CMTS LAN analyzer port looks like this:

|  14-byte Ethernet header
|  20-byte IP header
|  8-byte UDP header
v
^
| 14-byte Ethernet header
| 20-byte IP header
| ...

The first part (Ethernet/IP/UDP header) is fabricated by the CMTS. The second part (Ethernet/IP/...) is the end-user traffic.

If I load a PCAP file with this type of traffic in Wireshark, Wireshark displays the Ethernet/IP/UDP header as one would expect, but it does not decode the second part, the end-user traffic. It displays the end-user traffic as one big data blob.

I am surprised that Wireshark is not able to decode the second part, the end-user traffic. I am not sure if we need to do some sort of configuration, or if we should write a special dissector that can handle this type of encapsulation.

Martin