[Winpcap-users] Pcap_list_datalinks return bad number of links.
Guy Harris
guy at alum.mit.edu
Fri Aug 25 01:29:21 GMT 2006
On Aug 24, 2006, at 3:11 PM, Steve Beaudoin wrote:
> You are absolutely right. The received array was the wrong item of
> the two. Following your suggestion, I changed my ref int[] for a
> ref IntPtr and I now receive two items, the other one is DOCSIS
> (Data Over Cable Service Interface Specifications, http://en.wikipedia.org/wiki/DOCSIS
> for those interested) as I have a cable modem.
No, the other one is DOCSIS because
1) you have an Ethernet (or something that claims to be an Ethernet)
and
2) Cisco has a device, the Cisco Cable Modem Termination System:
http://www.cisco.com/en/US/tech/tk86/tk804/tsd_technology_support_protocol_home.html
that can be configured to take raw DOCSIS frames and transmit them
on an Ethernet (using only the low-level Ethernet framing and *no*
encapsulation, so the first byte of the Ethernet frame is the first
byte of the DOCSIS frame, *NOT* the first byte of an Ethernet
destination MAC address):
http://www.cisco.com/univercd/cc/td/doc/product/cable/cab_rout/cmtsfg/ufg_cmon.htm#wp1031861
so that a network analyzer can capture and process them.
Wireshark is one analyzer that can process DOCSIS frames; if you're
plugged into an "Ethernet" that's connected to a Cisco CMTS, and the
CMTS is putting DOCSIS frames on the Ethernet, you'd capture with the
link-layer type set to DOCSIS, which would cause the device to appear
to have a link-layer type of DOCSIS and thus cause Wireshark to
analyzer the frames as DOCSIS frames.
Unless your cable modem has a similar capability, or you have some
device that can capture on the cable side of the cable modem, you
won't be able to see DOCSIS frames.
More information about the Winpcap-users
mailing list