This is a static archive of our old Q&A Site. Please post any new questions and answers at

Why are packets incorrectly identified as PCLI?


While capturing a multicast video feed on port 9000, I noticed Wireshark was identifying the content of the UDP packets as PCLI (Packet Cable Lawful Intercept) containing another IP datagram.

Has anyone seen this issue before?

Disabling the PCLI dissector fixes this.

asked 15 Mar '12, 07:56

Manu's gravatar image

accept rate: 0%

edited 15 Mar '12, 08:46

multipleinterfaces's gravatar image


One Answer:


The PCLI dissector is registered to decode anything on UDP Port 9000. There are no heuristics in the dissector to check if the packet is indeed PCLI, nor does it seem to be an IANA allocated port.

Disabling the dissector is the correct approach if your traffic isn't PCLI.

answered 15 Mar '12, 08:26

grahamb's gravatar image

grahamb ♦
accept rate: 22%

Thanks grahamb.

(15 Mar '12, 08:32) Manu

Setting the PCLI port preference to 0 would permanently disable it too. (Maybe the default port should be 0 since 9000 isn't IANA-registered.)

(15 Mar '12, 15:12) JeffMorriss ♦

I am facing the same situation. Above mentioned disable PCLI protocol is the correct approach if it's not a PCLI traffic. My question is what is PCLI traffic and how to identify a traffic is PCLI traffic? Port 9000 is a IANA-registered port for UDPCast.

(14 Jun '14, 03:12) a278497234

(For completeness) you created a new question for this latest comment..

(16 Jun '14, 07:39) JeffMorriss ♦