Ethernet Frame Structure

Nerd Cafe

Ethernet is the most widely used networking technology today. Understanding its frame structure is crucial for network troubleshooting, analysis, and design. In this lesson, I will guide you step by step through the Ethernet frame structure, providing both theoretical explanations and practical hands-on demonstrations.

Step 1: Understanding the Ethernet Frame

An Ethernet frame is a structured package of data used for communication in an Ethernet network. It consists of multiple fields that help ensure reliable data transmission.

Basic Ethernet Frame Structure (IEEE 802.3)

Field

Size (Bytes)

Description

Preamble

Synchronization pattern for the receiver

Start Frame Delimiter (SFD)

Marks the start of a frame

Destination MAC Address

MAC address of the receiving device

Source MAC Address

MAC address of the sending device

EtherType / Length

Type of protocol (IPv4, IPv6, etc.) or frame length

Payload (Data)

46 - 1500

The actual data being transmitted

Frame Check Sequence (FCS)

Error-checking CRC (Cyclic Redundancy Check)

Step 2: Deep Dive into Each Field

1. Preamble (7 Bytes)

The preamble consists of alternating 1s and 0s (101010... pattern) for synchronization.
It helps the receiving device recognize an incoming frame.

2. Start Frame Delimiter (SFD) (1 Byte)

The SFD is 10101011 in binary.
It signals the exact start of the Ethernet frame.

3. Destination MAC Address (6 Bytes)

It contains the MAC address of the intended recipient.
MAC addresses are 48-bit (6 bytes) long and look like: 00:1A:2B:3C:4D:5E.

4. Source MAC Address (6 Bytes)

It contains the MAC address of the sender.

5. EtherType / Length (2 Bytes)

If the value is greater than 1536 (0x0600 in hex), it represents EtherType (indicating protocols like IPv4, IPv6, ARP, etc.).
If the value is less than 1500, it indicates the length of the payload.

6. Payload (Data) (46-1500 Bytes)

Contains the actual data being transmitted.
If the data is less than 46 bytes, padding is added to meet the minimum frame size of 64 bytes.

7. Frame Check Sequence (FCS) (4 Bytes)

Uses Cyclic Redundancy Check (CRC-32) to verify data integrity.
If the FCS doesn’t match the computed CRC at the receiver, the frame is discarded.

Step 3: Practical Hands-on with Wireshark

To better understand Ethernet frames, let’s capture real network traffic using Wireshark, a network protocol analyzer.

Task: Capture an Ethernet Frame in Wireshark

Open Wireshark and select your active network interface.
Click Start Capture.
Filter the Ethernet traffic by typing:

eth

eth.dst == xx:xx:xx:xx:xx:xx

(Replace xx:xx:xx:xx:xx:xx with a specific MAC address).

Click on a captured frame and inspect the frame structure.

Wireshark Example Output

When you capture a frame, you will see:

Frame 1: 74 bytes on wire (592 bits), 74 bytes captured
    Ethernet II, Src: 00:1A:2B:3C:4D:5E, Dst: 00:11:22:33:44:55
        Destination: 00:11:22:33:44:55 (Receiver MAC)
        Source: 00:1A:2B:3C:4D:5E (Sender MAC)
        Type: IPv4 (0x0800)
    Data: 00112233445566778899aabbccddeeff...

Analyze Each Field in Wireshark:

Frame size (Check if it's between 64 and 1518 bytes)
Source and destination MAC addresses
EtherType (IPv4, IPv6, ARP, etc.)
Payload
Frame Check Sequence (FCS) (Only visible if capturing on a switch)

Step 4: Lab Experiment - Sending Custom Ethernet Frames

You can create and send custom Ethernet frames using Scapy, a powerful Python tool for packet manipulation.

Install Scapy

pip install scapy

Send a Custom Ethernet Frame

from scapy.all import *

# Construct an Ethernet frame
eth_frame = Ether(dst="ff:ff:ff:ff:ff:ff", src="00:1A:2B:3C:4D:5E", type=0x0800)

# Send the frame on the network
sendp(eth_frame, iface="eth0")

dst="ff:ff:ff:ff:ff:ff" → Broadcast frame (sent to all devices)
src="00:1A:2B:3C:4D:5E" → Source MAC address
type=0x0800 → Indicates an IPv4 packet
iface="eth0" → Replace with your actual network interface

Capture and Verify in Wireshark

Open Wireshark and start capturing.
Run the Python script.
Check if the broadcast frame is detected in Wireshark.

Summary & Key Takeaways

Ethernet frames are the building blocks of Ethernet communication.
The frame structure includes preamble, SFD, MAC addresses, EtherType, payload, and FCS.
Minimum Ethernet frame size is 64 bytes, and the maximum (without jumbo frames) is 1518 bytes.
Wireshark allows you to analyze real Ethernet frames.
Scapy enables custom frame creation and transmission.

Keywords

Ethernet frame, MAC address, Preamble, Start Frame Delimiter, SFD, EtherType, Payload, Frame Check Sequence, FCS, Cyclic Redundancy Check, CRC, network packet, data link layer, IEEE 802.3, Wireshark, Scapy, broadcast frame, unicast frame, multicast frame, minimum frame size, نتورک پلاس

PreviousFiber Optic Cables NextSwitches

Last updated 1 month ago

Frame 1: 74 bytes on wire (592 bits), 74 bytes captured Ethernet II, Src: 00:1A:2B:3C:4D:5E, Dst: 00:11:22:33:44:55 Destination: 00:11:22:33:44:55 (Receiver MAC) Source: 00:1A:2B:3C:4D:5E (Sender MAC) Type: IPv4 (0x0800) Data: 00112233445566778899aabbccddeeff...