Ethereal-users: Re: [Ethereal-users] DOCSIS Packet Analysis

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Michael O'Donnell" <modonnell@xxxxxxxxxxxxx>
Date: Wed, 9 Jun 2004 16:35:28 -0700
Hello Guy,

You are absolutely correct in what I am  looking for as far as a way to
analyze each packet with the line containing a comma-separated or
tab-separated list of particular pieces of information from the *decoded*
packet.

If you would like I could come up with a list much as I did when I
corroborated with SIGTEK to do the samething back in 2001.  But basically I
am looking for a way to read out the same values that sigtek would with
their ST260FileProc.  Under their View tab with a Delimited Report Setup
which when chosen opens a window that allows you to choose the parameters
under the headings "General Frame Params", "Ext. Headert Params", "PDU and
MMM Params", "MMM TLV Params", "IP Parameters", and "Raw Data".  Each of
these headers have a number of items under them that you can select or
deselect parameters under each and then save to either a Tab or Comma
Delimited file.  Which then can be analyzed under Excel or some other
spreadsheet program.  I can provide a complete list of the items SIGTEK
parses if you want as that is essentially what would be required.  Please
let me know.  Thanks.

Mike
----- Original Message ----- 
From: "Guy Harris" <gharris@xxxxxxxxx>
To: "Ethereal user support" <ethereal-users@xxxxxxxxxxxx>
Sent: Wednesday, June 09, 2004 3:32 PM
Subject: Re: [Ethereal-users] DOCSIS Packet Analysis


> Michael O'Donnell said:
> > What you need to do is to explicitly tell Ethereal to treat all captures
> as DOCSIS captures.  Select "Preferences" from the "Edit" menu, open up
> the Protocols list, select "Frame", turn on the "Treat all frames as
> DOCSIS frames" option, click "Save" and click "OK".
>
> Note that if you're willing to build from source the current CVS version
> of libpcap, and are either
>
>     1) willing to build from source a reasonably recent version of
> Ethereal or tcpdump
>
> or
>
>     2) on a platform where the current CVS version of libpcap builds a
> shared library (probably just Linux and the BSDs, where OS X is one of the
> BSDs, unless you're also using the GNU linker), and where libpcap is a
> shared library, and where a reasonably recent version of tcpdump (3.8 or
> later) or Ethereal (0.10.somethingIdon'tremember or later) is linked with
> that shared library, *and* are willing to install that version of libpcap
> in place of the currently-installed version (which might be the OS's
> version)
>
> you should be able to specify, when capturing on Ethernet devices, that
> the packets should be treated as DOCSIS packets - there should be a
> "Link-layer header type:" item in the "Capture Options" dialog box in
> Ethereal, offering Ethernet and DOCSIS, and "tcpdump -L" should list
> Ethernet and DOCSIS and should let you select DOCSIS with the "-y" flag.
>
> Ethereal should be able to read those capture files as DOCSIS files
> without having to specify that they're DOCSIS files.
>
> (If this is from a Sigtek DOCSIS tracer, that won't work unless they've
> recently modified their software to use the new DOCSIS link-layer type in
> the libpcap files they write, but I suspect that if they wanted to they
> could contribute code to Ethereal to let it *directly* read their capture
> files rather than requiring them to be written as libpcap files....)
>
> The command
>
>     editcap -T docsis {Ethernet capture file name} {DOCSIS capture file
> name}
>
> should, with recent versions of Ethereal (editcap is a tool that comes
> with Ethereal), read an Ethernet capture file and write one out with the
> DOCSIS link-layer type, so that such a file can be read as a DOCSIS file
> without having to tell Ethereal to treat it as such.
>
> > I have one further question is there a way to Save the Capture to a file
> in a format that is either "Comma Separated" or "Tab Separated".
>
> There's no built-in way, but I think people have come up with schemes for
> generating those files.
>
> We could probably implement something in Ethereal itself, but we'd need to
> know what sort of "something" to implement; the capture itself is just a
> bunch of records with time stamps, packet lengths, and raw packet data,
> but presumably what you want is not raw packet data written out as a
> comma-separated or tab-separated file, you presumably want one line for
> each packet with the line containing a comma-separated or tab-separated
> list of particular pieces of information from the *decoded* packet.  If
> so, what pieces of information would those be?
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>
>