On Dec 2, 2007, at 2:11 PM, Guy Harris wrote:
What were the machines on the Ethernet on which you were sniffing? If
the only machines were the Cisco CMTS and the machine running
Wireshark,
you might want to ask Cisco why, for example, frame 10 of your capture
is an Ethernet packet with a DHCP request coming from some type of
cable
device and frame 11 appears to be that packet forwarded as a DOCSIS
packet (and with the UDP checksum added, probably by the Cisco CMTS).
...or if, when capturing, you specified, in the "cable monitor"
command on the CMTS, both "packet-type data ethernet" and "packet-type
data docsis", you'll probably get *two* copies of every packet, one
with a DOCSIS header (which Wireshark can handle when it's decoding
the file as DOCSIS) and one with an Ethernet header (which, obviously,
Wireshark can't handle when it's decoding the file as DOCSIS).
*D*O* *N*O*T* enable both "packet-type data ethernet" and "packet-type
data docsis" on the CMTS. Enable "packet-type data docsis" and
"packet-type mac", and, when you capture, select Capture -> Options
and, if the dialog box lets you, select "Data Over Cable Service
Interface Specification" as the "Link-layer header type". Doing so
means that Wireshark will *automatically* interpret all packets as
DOCSIS; you won't have to set a preference to do so.
(If you're capturing with tcpdump, dumpcap, or TShark, specify "-y
DOCSIS" as one of the command-line arguments; that's the command-line
equivalent.)
