20/7/2014 CaptureSetup/DOCSIS - The Wireshark Wiki

DOCSIS capture setup

Cisco's Cable M odem Termination System in various of its head-end broadband routers supports a
cable monitorcommand that causes it to forward packets on the cable interface to the Ethernet interface, for
use by external LAN analyzers. The Cable M onitor and Intercept Features for the Cisco CM TS chapter in the
Cisco CM TS Feature Guide, and the Cable M onitor and Intercept Features for the Cisco CM TS Routers section in
the Cisco CM TS Cable Software Configuration Guide, Release 12.2SC, describe this in more detail.

It can be configured to encapsulate raw DOCSIS packets in Ethernet framing, using the data docsisand mac
suboptions of the packet-typeoption. "Ethernet framing" here refers only to the very low-level framing that
marks the start and end of an Ethernet frame, not to Ethernet link-layer headers - the frames sent on the Ethernet do
not have the standard Ethernet 14-octet link-layer header, with a destination address, source address, and
type/length field, they have only a DOCSIS header and payload.

DO NOT combine the data ethernetoption with the data docsisor macsuboptions, as that will mix
DOCSIS packets and Ethernet packets in the same capture, and Wireshark will not be able to interpret both types
of packets correctly; it will also cause data packets to appear twice in the same capture, once with a DOCSIS
header and once with an Ethernet header. The "Cable M onitor Configuration Example (Ethernet, M AC-Layer, and
DOCSIS-Data Packets)" example in the Cable M onitor and Intercept Features for the Cisco CM TS chapter of the
Cisco CM TS Feature Guide combines those options; ignore the
cable monitor timestamp int e2/0 mac-address 0003.e3fa.5e8f packet-
type data ethernetcommand in that example.

Libpcap 0.9.1 and later, on most platforms, and WinPcap 3.1 and later, on Windows, can capture on an Ethernet
link but claim that the packets are DOCSIS packets, for convenience when capturing on an Ethernet segment to
which a Cisco CM TS is forwarding DOCSIS packets. If Wireshark is using a version of libpcap that supports this,
in the "Capture Options" dialog box the "Link-layer header type" field should offer a choice of "Ethernet" or
"DOCSIS". The default is Ethernet; if you're capturing on an Ethernet link to which the CM TS is forwarding
DOCSIS packets, choose DOCSIS instead. If you do this, Wireshark will treat the packets in the capture file as
DOCSIS packets - even if you save the capture file and read it later.

Earlier versions of libpcap don't support that, so the traffic will be marked as Ethernet traffic, and you'll have to
turn on the "Treat all frames as DOCSIS frames" preference for the Frame protocol in order to see those packets as
DOCSIS packets.

S ee Also

Capturing on Ethernet Networks

Capturing on 802.11 Wireless Networks
Capturing on Token Ring Networks
Capturing on VLAN Protected Networks
Capturing on PPP Networks
Capturing on the Loopback Device
Capturing on Frame Relay Networks
Capturing Bluetooth Traffic
Capturing on ATM Networks
Capturing USB Traffic
Capturing IrDA Traffic
Capturing on Cisco HDLC Networks
Capturing SS7 Traffic

CategoryHowTo

http://wiki.wireshark.org/CaptureSetup/DOCSIS 1/2
20/7/2014 CaptureSetup/DOCSIS - The Wireshark Wiki

CaptureSetup/DOCSIS (ltima edicin 2010-08-26 05:14:44 efectuada por Guy Harris)

http://wiki.wireshark.org/CaptureSetup/DOCSIS 2/2