This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What is PCLI traffic and how to identify a traffic is PCLI traffic?

0

Q: While capturing a multicast video feed on port 9000, I noticed Wireshark was identifying the content of the UDP packets as PCLI (Packet Cable Lawful Intercept) containing another IP datagram.Has anyone seen this issue before?Disabling the PCLI dissector fixes this.

A: The PCLI dissector is registered to decode anything on UDP Port 9000. There are no heuristics in the dissector to check if the packet is indeed PCLI, nor does it seem to be an IANA allocated port.Disabling the dissector is the correct approach if your traffic isn't PCLI.

Q: What is PCLI traffic and how to identify a traffic is PCLI traffic?

Someone can help me? Thanks a lot.

pcli multicast udp

asked 14 Jun '14, 03:16

a278497234
1●1●1●2
accept rate: 0%

edited 14 Jun '14, 03:17

One Answer:

0

Has anyone seen this issue before?Disabling the PCLI dissector fixes this.

Yes, and you have found the solution yourself. See also the following similar question:

http://ask.wireshark.org/questions/9557/why-are-packets-incorrectly-identified-as-pcli

Regarding your other question:

Q: What is PCLI traffic and how to identify a traffic is PCLI traffic?

That's a method to allow authorities (governments, police, 'agencies') to intercept (eavesdrop) internet traffic of users, sent over cable connections.

http://www.cablelabs.com/wp-content/uploads/specdocs/PKT-SP-ESP1.5-I02-070412.pdf
http://en.wikipedia.org/wiki/PacketCable

How can you identify PCLI traffic? Well, by reading and understanding the specs or by reading the Wireshark PCLI dissector code. By looking at the dissector code, it looks like PCLI encapsulates plain IP packets in the UDP payload, without any further protocol. So, the best way to 'identify' PCLI traffic would be to actually use the PCLI dissector. If it finds a valid IP structure in the PCLI payload, chances are pretty good that it is PCLI.

However, that's nothing you should be worried about. In your case it was just a coincidence with traffic on port UDP 9000 (the only sign for Wireshark to interpret that traffic as PCLI).

If you were the target of a surveillance, you would never see PCLI traffic, as that would reveal that surveillance ;-))

So, if you are afraid of 'lawful' surveillance, you can

complain about the 'lawful' surveillance methods in front of your parliament.
try to hide your activities by using VPN services in foreign countries and/or Tor browser and/or encryption (don't trust anything that is using OpenSSL!!).
try to behave like the nice, noncritical guy your government wants you to be. So please no bad keywords in your mails and online searches! And no visiting of 'bad' websites! Please ask your government what is considered a bad keyword/website in your country. I'm sure they are absolutely willing to answer all your questions. After all you are the people (at least part of it) and you have the power to control the activities of the government ;-)) At least that's what they tell you 8 weeks before the next election.

Regards
Kurt

answered 15 Jun '14, 07:49

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 15 Jun '14, 07:51

Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.