Casa packet capture | docsis.org

You are here

Casa packet capture

3 posts / 0 new
Last post
FezzFest
Casa packet capture

Trying to debug an issue with a misbehaving cable modem on a C40g.
I'm using the 'mirror cm' command together with tcpdump and it's generating a packet capture, however I'm stuck at the following step:

"On the TFTP server, run the ccap command (./ccap test.out) to create a file called out.cap. Use FTP to transfer this file to a PC running Wireshark (or equivalent program). Change the Wireshark settings by editing preferences and Protocols: Frame by checking off the “Treat all frames as DOCSIS frames” box. Wireshark will decode the DOCSIS control packets."

I have no idea what the 'ccap' command is or where that program should come from. I currently have a packet capture that I can open in Wireshark and the contents are there but every single packet is seen as 'UDP data' instead of the underlying protocol (dhcp, tftp, etc)

FezzFest
Casa packet capture

Update: figured it out, the UDP data in each packet is actually by itself a DOCSIS-encapsulated packet. With tshark and text2pcap I can extract the contents of each packet and put it into a new (useful) pcap.

Extract data of each UDP packet: tshark -r file.pcap -T fields -e data >data.txt
Convert to text2pcap-compatible format: for l in $(cat data.txt); do echo $l | xxd -r -ps | xxd -g1 >>text2pcap.txt; done
Make it into a pcap file: text2pcap -l 143 text2pcap.txt docsis.pcap

fschlums
What about this way? Send all

What about this way? Send all CM traffic to a sniffer server.
cable mirror CM-MAC SnifferServerIP SnifferServerPort
Take wireshark or tshark and listen to your port.
Decode your traffic as PCLI and again as IPv4.

Log in or register to post comments