Ethernet (IEEE 802.3)

TableOfContents(2)

Overview

Ethernet is the most common local area networking technology, and, with gigabit and 10 gigabit Ethernet, is also being used for metropolitan-area and wide-area networking.

It is specified by [http://standards.ieee.org/getieee802/802.3.html various IEEE 802.3 specifications].

Ethernet sends network packets from the sending host to one (["Unicast"]) or more (["Multicast"]/["Broadcast"]) receiving hosts.

You can find hardware related Ethernet information at the EthernetHardware page.

Information how to capture on an Ethernet network can be found at the ["CaptureSetup/Ethernet"] page.

Packet format

A physical Ethernet packet will look like this:

Preamble

Destination MAC address

Source MAC address

Type/Length

User Data

Frame Check Sequence (FCS)

8

6

6

2

46 - 1500

4

As the Ethernet hardware filters the preamble, only the green fields are given to Ethereal or any other application. Most Ethernet interfaces also either don't supply the FCS to Ethereal or other applications, or aren't configured by their driver to do so.

MAC address fields

The second least significant bit of the first byte is the "Locally Administrated" bit. This bit is always set to 0 for all assigned OIDs. The purpose of this bit is that if you change your MAC address you should also set this bit to 1 in the new MAC address so that it is clear it is not a factory default MAC address. Many, but not all, cluster configurations that utilize MAC address failover will set this bit to 1 for the failover interface.

Type / Length field

Frame Check Sequence (FCS) field

History

See [http://en.wikipedia.org/wiki/Ethernet#History Wikipedia] for a brief history of Ethernet

Protocol dependencies

Ethernet is the lowest software layer, so it only depends on hardware.

Example traffic

Small portion of the capture from opening ethereal.com in a web browser.

Example capture file

Full capture from above example. Opening www.ethereal.com from the Firefox browser.

Ethereal

The Ethernet dissector is fully functional.

Preference Settings

(XXX add links to preference settings affecting how Ethernet is dissected).

Display Filter

A complete list of Ethernet display filter fields can be found in the [http://www.ethereal.com/docs/dfref/e/eth.html display filter reference]

Some useful filters:

Note: the Ethernet Broadcast address (ff:ff:ff:ff:ff:ff) is per definition a Multicast one (least significant bit of first address byte set). If you want to see only Multicasts, you have to filter out the Broadcasts as well  (eth.dst[0] & 1) && eth.dst!=ff:ff:ff:ff:ff:ff .

Capture Filter

Capture only the Ethernet-based traffic to and from Ethernet MAC address 08:00:08:15:ca:fe:

Ethernet ["Multicast"] traffic only:

Ethernet ["Broadcast"] traffic only:

Information how to capture on an Ethernet network can be found at the ["CaptureSetup/Ethernet"] page.

A lot of tutorial information about Ethernet can be found at [http://www.ethermanage.com/ethernet/ethernet.html Charles Spurgeon's Ethernet Web Site].

Discussion

Maybe we should add dissection of the MAC address and the Multicast and the LocallyAdministrated bits. Since many clusters implement MAC failover and they create the "new" MAC address for the failover interface as the same MAC address as the primary interface but with the LA bit set to 1, we should also add code to strip this bit off when we try to map it to a OID name.