Hello - I received a trace from an outside source. When I opened it up I used the Decode As feature. As a result all the traffic was interpreted as Docsis which was fine since it was coming off a cable modem infrastructure. However, my problem now is that no matter what I capture is now always interpreted as Docsis which is nonsense. The question is how can I make my Wireshark installation revert back to normal? asked 06 Feb '12, 09:24  gregwolf0797 |
2 Answers:
Method 1Using the same Decode As dialog that you originally used, click the Clear button. Method 2Using menu Analyze > User Specified Decodes... > Clear. This wipes out all Decode As settings. (works as of Wireshark 1.7.0) answered 06 Feb '12, 09:33  bstn |
Check the following settings: Preferences - Frame protocol - uncheck "treat all frames as docsis". answered 14 Nov '12, 04:49  wslez edited 14 Nov '12, 04:50 This saved me a lot of time. In Wireshark 2.2.7 on Mac, it is under Preferences->Advanced->frame.force_docsis_encap (28 Jun '17, 15:17) IgorGanapolsky |
How was that trace captured? If it was captured from a Cisco device that puts DOCSIS frames onto an Ethernet as raw DOCSIS frames inside Ethernet framing, by a program that uses a sufficiently recent version of libpcap/WinPcap, they could have specified a link-layer header type of DOCSIS, so that Wireshark would automatically recognize it as DOCSIS traffic.