Re: Displaying Cisco Cable Monitor and Intercept Traffic

[Guy Harris <guy () alum mit edu>]

On Aug 25, 2010, at 6:37 AM, Martin Dubuc wrote:

> I would like to display traffic coming out of a Cisco CMTS LAN analyzer port in Wireshark. This traffic is the result 
> of configuring the CMTS with the cable monitor and intercept commands. The cable intercept command is used to capture 
> all traffic that originates/terminates to a specific a MAC address.

OK, so this is "cable intercept" rather than "cable monitor".  All the DOCSIS stuff in libpcap/WinPcap and Wireshark is 
for "cable monitor".

> I am surprised that Wireshark is not able to decode the second part, the end-user traffic.

Wireshark doesn't know about "cable intercept" packets.  The Cisco documentation at

        http://www.cisco.com/en/US/docs/cable/cmts/feature/guide/ufg_cmon.html

says the UDP port number is user-specified, so we need something such as Decode As to specify the port.

Does the encapsulated Ethernet packet have the FCS?  (I suspect not, as "cable intercept" appears to be intended for 
wiretapping; I doubt the police care about the FCS of your Ethernet packets.)  If not, then the encapsulated packets 
should be dissected by the "Ethernet, without FCS" dissector.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe