This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Intercepting traffic of cable modems

Hi there,

i want to check differences in Traffic which occur between cable modem and router, and traffic between the coaxial jack and cable modem. As i can easily set up a proxy between modem and router and intercept ethernet traffic with tcpdump or wireshark the other side of the cable modem seems to be more complicated.

Cable modems are using DOCSIS standard (EuroDOCSIS in Europe) which can be encrypted. As well i don't have an idea how i could connect my proxy with the coaxial cable. Are there any adapters which can help here in connection with a demodulator?

Because wireshark has got a DOCSIS dissector i assume, that it should be possible to catch that docsis traffic "out of the cable".

I found a video called "Sniffing cable modems" but the aspect how to connect the proxy via coaxial cable is not discussed in detail.

Best Regards, Bastian

modem eurodocsis coaxial cable docsis

asked 12 Mar '14, 02:26

CipherSpec
16●2●2●4
accept rate: 0%

2 Answers:

Because wireshark has got a DOCSIS dissector i assume, that it should be possible to catch that docsis traffic "out of the cable".

Not necessarily. Wireshark can read captures in many different file formats, and some of them contain packet types that the mechanisms that libpcap/WinPcap use can't capture.

In the case of DOCSIS, that was added to Wireshark because some Cisco "cable modem termination systems" (CMTS) for the "head end" of cable modem networks (i.e., for use at the cable company's site) can take DOCSIS packets, wrap them in Ethernet low-level framing (no Ethernet header, just the raw octets of a DOCSIS packet, preceded by an Ethernet preamble and start frame delimiter and terminated by an Ethernet FCS), and put them out on an Ethernet. Support was added to libpcap/WinPcap to, when capturing on an Ethernet device, use a link-layer header type of DOCSIS rather than Ethernet, and Wireshark can read those files.

Sadly, I don't know of any cable modems that support the same mechanism that the Cisco CMTSes do.

The "sniffing cable modems" video that pops up when I do a search is the one by Guy Martin; the slides from that talk speak of using a DVB-C card to capture traffic in one direction and a USRP device to capture traffic in the other direction, but don't give any details. Guy Martin definitely knows about Wireshark, and the slides have his e-mail address; he might have some advice on hardware to use to sniff cable modem traffic.

answered 12 Mar '14, 19:26

Guy Harris ♦♦
17.4k●3●35●196
accept rate: 19%

A cable monitor command that forwards packets on the cable interface to the Ethernet interface(for use by external analyzers) is only available on Cisco broadband routers on CMTS (like Cisco uBRxxxx). Wireshark DOCSIS dissector is only for that kind of usage. Docsis use RF interface to transmit Ethernet packets, i.e. Ethernet packets are translated into radio frequency signals that sent to the head-end, then translated back to Ethernet and dropped into the cable network. RF-interface use different type of network adapter, and different standard for link-layer data transmission, it's not Ethernet adapter. Therefore, this requires demodulate RF-interface packets into Ethernet interface packets, so hardware is needed to implement this.

answered 19 Apr '15, 08:35

quantex
11●1●1●5
accept rate: 0%

edited 19 Apr '15, 08:37

Actually, DOCSIS uses the RF interface to transmit DOCSIS packets; that's what the Wireshark DOCSIS dissector dissects, and what would be included in packets for which the link-layer header type value is LINKTYPE_DOCSIS, as per the tcpdump.org link-layer header types page.

That entry says

DOCSIS MAC frames, as described by the DOCSIS 3.0 MAC and Upper Layer Protocols Interface Specification.

So it's not just "Ethernet over cable".

(19 Apr '15, 11:54) Guy Harris ♦♦