Wireshark-users: [Wireshark-users] DOCSIS
From: Martin Dubuc <martind1111@xxxxxxxxx>
Date: Tue, 24 Aug 2010 14:26:00 -0400
I am trying to decode the packet output from a Cisco CMTS with Wireshark, but I haven't succeeded doing so up to now. The packet output was the result of capturing packets out of the analyzer port after configuring the CMTS using the cable monitor and intercept commands (my assumption is that the packet output is in a DOCSIS 1.0 format). I have read in one of the Wireshark documentation page that there is a DOCSIS decode option in the Edit/Preferences... dialog under the Frame protocol, but this does not match my packet output. When I enable this option, WIreshark interprets the first 6 bytes of each frames as DOCSIS header, then the rest as ethernet frames.

The packet output that I get from my Cisco CMTS is formatted as follows:

14-byte Ethernet header
20-byte IP header
8-byte UDP header
14-byte Ethernet header
20-byte IP header
...

I believe that the first 42 bytes is what the Cisco CMTS prepends to the actual user traffic. I would like Wireshark to strip these 42 bytes on the display so that I can zoom in on the actual user traffic.

First of all, I would like to know if this format is actually DOCSIS or not. I would then like to know how I can tell the system to ignore the 42 bytes when displaying the packets.

Martin