Wireshark-users: Re: [Wireshark-users] Displaying Cisco Cable Monitor and Intercept Traffic
From: Martin Dubuc <martind1111@xxxxxxxxx>
Date: Thu, 26 Aug 2010 07:27:08 -0400
The cable intercept traffic uses Ethernet without FCS. With the Ethernet without FCS dissector, I am able to decode the traffic appropriately.

Martin

On Wed, Aug 25, 2010 at 10:24 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Aug 25, 2010, at 6:37 AM, Martin Dubuc wrote:

> I would like to display traffic coming out of a Cisco CMTS LAN analyzer port in Wireshark. This traffic is the result of configuring the CMTS with the cable monitor and intercept commands. The cable intercept command is used to capture all traffic that originates/terminates to a specific a MAC address.

OK, so this is "cable intercept" rather than "cable monitor".  All the DOCSIS stuff in libpcap/WinPcap and Wireshark is for "cable monitor".

> I am surprised that Wireshark is not able to decode the second part, the end-user traffic.

Wireshark doesn't know about "cable intercept" packets.  The Cisco documentation at

       http://www.cisco.com/en/US/docs/cable/cmts/feature/guide/ufg_cmon.html

says the UDP port number is user-specified, so we need something such as Decode As to specify the port.

Does the encapsulated Ethernet packet have the FCS?  (I suspect not, as "cable intercept" appears to be intended for wiretapping; I doubt the police care about the FCS of your Ethernet packets.)  If not, then the encapsulated packets should be dissected by the "Ethernet, without FCS" dissector.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe