Wireshark · Wireshark-users: Re: [Wireshark-users] Displaying Cisco Cable Monitor and Intercept Traffic

[Guy Harris <guy@xxxxxxxxxxxx>]

On Aug 25, 2010, at 6:37 AM, Martin Dubuc wrote:

> I would like to display traffic coming out of a Cisco CMTS LAN analyzer port in Wireshark. This traffic is the result of configuring the CMTS with the cable monitor and intercept commands. The cable intercept command is used to capture all traffic that originates/terminates to a specific a MAC address.

OK, so this is "cable intercept" rather than "cable monitor".  All the DOCSIS stuff in libpcap/WinPcap and Wireshark is for "cable monitor".

> I am surprised that Wireshark is not able to decode the second part, the end-user traffic.

Wireshark doesn't know about "cable intercept" packets.  The Cisco documentation at

	http://www.cisco.com/en/US/docs/cable/cmts/feature/guide/ufg_cmon.html

says the UDP port number is user-specified, so we need something such as Decode As to specify the port.

Does the encapsulated Ethernet packet have the FCS?  (I suspect not, as "cable intercept" appears to be intended for wiretapping; I doubt the police care about the FCS of your Ethernet packets.)  If not, then the encapsulated packets should be dissected by the "Ethernet, without FCS" dissector.