This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Why are packets incorrectly identified as PCLI?

0

While capturing a multicast video feed on port 9000, I noticed Wireshark was identifying the content of the UDP packets as PCLI (Packet Cable Lawful Intercept) containing another IP datagram.

Has anyone seen this issue before?

Disabling the PCLI dissector fixes this.

asked 15 Mar '12, 07:56

Manu's gravatar image

Manu
4113
accept rate: 0%

edited 15 Mar '12, 08:46

multipleinterfaces's gravatar image

multipleinte...
1.3k152340


One Answer:

3

The PCLI dissector is registered to decode anything on UDP Port 9000. There are no heuristics in the dissector to check if the packet is indeed PCLI, nor does it seem to be an IANA allocated port.

Disabling the dissector is the correct approach if your traffic isn't PCLI.

answered 15 Mar '12, 08:26

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks grahamb.

(15 Mar '12, 08:32) Manu
1

Setting the PCLI port preference to 0 would permanently disable it too. (Maybe the default port should be 0 since 9000 isn't IANA-registered.)

(15 Mar '12, 15:12) JeffMorriss ♦

I am facing the same situation. Above mentioned disable PCLI protocol is the correct approach if it's not a PCLI traffic. My question is what is PCLI traffic and how to identify a traffic is PCLI traffic? Port 9000 is a IANA-registered port for UDPCast.

(14 Jun '14, 03:12) a278497234

(For completeness) you created a new question for this latest comment..

(16 Jun '14, 07:39) JeffMorriss ♦