-1

I have been reading about the IEEE 802.11 and especially on the MAC layer, and i noticed that it contains a lot of informations, but when i start to capture with wireshark with my wireless card, the MAC (Ethernet) header showing in wireshak contains only destination MAC address and source MAC address and the next layer protocol.

What's the problem, am i not supposed to see all MAC header informations like i've been studying it ?? why the MAC header in the packets captured by wireshark contains only theses three informations ?

Sidahmed
  • 141
  • 1
  • 1
  • 7

1 Answers1

1

Some parts of the Ethernet frame are processed entirely by the hardware and thus usually not seen by software, which is why you won't see those with Wireshark.

The part of the Ethernet frame before the MAC addresses is used for synchronizing the receiving of the packet. Thus it would be difficult for the hardware to make this visible to the software. It is only after the preamble that the hardware knows where the packet starts, at which point it is too late to capture the preamble.

The CRC is commonly verified in hardware and thus there is little reason to make this visible to the software layers. But I don't see any technical reason preventing this from being made visible to software. I wouldn't be surprised if at some point a manufacturer of a low-end network interface decided to cut a few cents off the hardware manufacturing price by making the driver responsible for CRC verification. If such interfaces do in fact exist, it would be possible to make the CRC visible in packet captures on those. But Wireshark is intended to work across a wide range of hardware, so making those few bytes visible would be problematic due to not being possible on all hardware.

It would not make a lot of sense for the gap between packets to be visible in captures because what you see in the captures are packets and the gap isn't part of any packet.

kasperd
  • 30,455
  • 17
  • 76
  • 124
  • ah, very clear answer, thank you bro. When i first saw that in wireshark, i thought that i am confusing or messing something. I have a project and i have to see the MAC headers completely, there is no way to do it ??!! (PS: i work under linux) – Sidahmed Jan 30 '16 at 17:13
  • @Sidahmed Remember that you can click the checkmark next to the answer if it has fully answered your question. – kasperd Jan 30 '16 at 17:16
  • @Sidahmed It would in principle be possible to design hardware to capture the raw bits beneath the MAC layer as a stream of bits. It would not be very useful for normal communication, but it might be useful for analyzing network traffic. I have no idea if you can find a normal network interface which supports such operation. – kasperd Jan 30 '16 at 17:18
  • @Sidahmed Using a normal networking stack you don't get to see more than what is already visible in Wireshark. Seeing preamble, CRC, and interpacket gaps would require specialized drivers and likely specialized hardware as well. If VLAN tagging is used, the capture software need to apply a bit of extra logic to reconstruct the VLAN tag, because it isn't provided by the kernel as part of the packet but rather through auxiliary data. – kasperd Jan 30 '16 at 17:24