Trying to debug an issue with a misbehaving cable modem on a C40g.
I'm using the 'mirror cm' command together with tcpdump and it's generating a packet capture, however I'm stuck at the following step:
"On the TFTP server, run the ccap command (./ccap test.out) to create a file called out.cap. Use FTP to transfer this file to a PC running Wireshark (or equivalent program). Change the Wireshark settings by editing preferences and Protocols: Frame by checking off the “Treat all frames as DOCSIS frames” box. Wireshark will decode the DOCSIS control packets."
I have no idea what the 'ccap' command is or where that program should come from. I currently have a packet capture that I can open in Wireshark and the contents are there but every single packet is seen as 'UDP data' instead of the underlying protocol (dhcp, tftp, etc)
Update: figured it out, the UDP data in each packet is actually by itself a DOCSIS-encapsulated packet. With tshark and text2pcap I can extract the contents of each packet and put it into a new (useful) pcap.
Extract data of each UDP packet: tshark -r file.pcap -T fields -e data >data.txt
Convert to text2pcap-compatible format: for l in $(cat data.txt); do echo $l | xxd -r -ps | xxd -g1 >>text2pcap.txt; done
Make it into a pcap file: text2pcap -l 143 text2pcap.txt docsis.pcap
What about this way? Send all CM traffic to a sniffer server.
cable mirror CM-MAC SnifferServerIP SnifferServerPort
Take wireshark or tshark and listen to your port.
Decode your traffic as PCLI and again as IPv4.