[Winpcap-users] Pcap_list_datalinks return bad number of links.
steve.a.beaudoin at gmail.com
Fri Aug 25 16:26:31 GMT 2006
Thank you for the precisions.
From: winpcap-users-bounces at winpcap.org
[mailto:winpcap-users-bounces at winpcap.org] On Behalf Of Guy Harris
Sent: August 24, 2006 21:29
To: winpcap-users at winpcap.org
Subject: Re: [Winpcap-users] Pcap_list_datalinks return bad number of links.
On Aug 24, 2006, at 3:11 PM, Steve Beaudoin wrote:
> You are absolutely right. The received array was the wrong item of
> the two. Following your suggestion, I changed my ref int for a
> ref IntPtr and I now receive two items, the other one is DOCSIS
> (Data Over Cable Service Interface Specifications,
> for those interested) as I have a cable modem.
No, the other one is DOCSIS because
1) you have an Ethernet (or something that claims to be an Ethernet)
2) Cisco has a device, the Cisco Cable Modem Termination System:
that can be configured to take raw DOCSIS frames and transmit
on an Ethernet (using only the low-level Ethernet framing and *no*
encapsulation, so the first byte of the Ethernet frame is the first
byte of the DOCSIS frame, *NOT* the first byte of an Ethernet
destination MAC address):
so that a network analyzer can capture and process them.
Wireshark is one analyzer that can process DOCSIS frames; if you're
plugged into an "Ethernet" that's connected to a Cisco CMTS, and the
CMTS is putting DOCSIS frames on the Ethernet, you'd capture with the
link-layer type set to DOCSIS, which would cause the device to appear
to have a link-layer type of DOCSIS and thus cause Wireshark to
analyzer the frames as DOCSIS frames.
Unless your cable modem has a similar capability, or you have some
device that can capture on the cable side of the cable modem, you
won't be able to see DOCSIS frames.
Winpcap-users mailing list
Winpcap-users at winpcap.org
More information about the Winpcap-users