Ethernet Frame Structure

Ethernet is the most widely used networking technology today. Understanding its frame structure is crucial for network troubleshooting, analysis, and design. In this lesson, I will guide you step by step through the Ethernet frame structure, providing both theoretical explanations and practical hands-on demonstrations.

Step 1: Understanding the Ethernet Frame

An Ethernet frame is a structured package of data used for communication in an Ethernet network. It consists of multiple fields that help ensure reliable data transmission.

Basic Ethernet Frame Structure (IEEE 802.3)

Step 2: Deep Dive into Each Field

1. Preamble (7 Bytes)

• The preamble consists of alternating 1s and 0s (101010... pattern) for synchronization.

• It helps the receiving device recognize an incoming frame.

2. Start Frame Delimiter (SFD) (1 Byte)

• The SFD is 10101011 in binary.

• It signals the exact start of the Ethernet frame.

3. Destination MAC Address (6 Bytes)

• It contains the MAC address of the intended recipient.

• MAC addresses are 48-bit (6 bytes) long and look like: 00:1A:2B:3C:4D:5E.

4. Source MAC Address (6 Bytes)

• It contains the MAC address of the sender.

5. EtherType / Length (2 Bytes)

• If the value is greater than 1536 (0x0600 in hex), it represents EtherType (indicating protocols like IPv4, IPv6, ARP, etc.).

• If the value is less than 1500, it indicates the length of the payload.

6. Payload (Data) (46-1500 Bytes)

• Contains the actual data being transmitted.

• If the data is less than 46 bytes, padding is added to meet the minimum frame size of 64 bytes.

7. Frame Check Sequence (FCS) (4 Bytes)

• Uses Cyclic Redundancy Check (CRC-32) to verify data integrity.

• If the FCS doesn’t match the computed CRC at the receiver, the frame is discarded.

Step 3: Practical Hands-on with Wireshark

To better understand Ethernet frames, let’s capture real network traffic using Wireshark, a network protocol analyzer.

Task: Capture an Ethernet Frame in Wireshark

• Download and install Wireshark from https://www.wireshark.org.

• Open Wireshark and select your active network interface.

• Click Start Capture.

• Filter the Ethernet traffic by typing:

or

(Replace xx:xx:xx:xx:xx:xx with a specific MAC address).

• Click on a captured frame and inspect the frame structure.

Wireshark Example Output

When you capture a frame, you will see:

Analyze Each Field in Wireshark:

• Frame size (Check if it's between 64 and 1518 bytes)

• Source and destination MAC addresses

• EtherType (IPv4, IPv6, ARP, etc.)

• Payload

• Frame Check Sequence (FCS) (Only visible if capturing on a switch)

Step 4: Lab Experiment - Sending Custom Ethernet Frames

You can create and send custom Ethernet frames using Scapy, a powerful Python tool for packet manipulation.

Install Scapy

Send a Custom Ethernet Frame

• dst="ff:ff:ff:ff:ff:ff" → Broadcast frame (sent to all devices)

• src="00:1A:2B:3C:4D:5E" → Source MAC address

• type=0x0800 → Indicates an IPv4 packet

• iface="eth0" → Replace with your actual network interface

Capture and Verify in Wireshark

• Open Wireshark and start capturing.

• Run the Python script.

• Check if the broadcast frame is detected in Wireshark.

Summary & Key Takeaways

1. Ethernet frames are the building blocks of Ethernet communication.

2. The frame structure includes preamble, SFD, MAC addresses, EtherType, payload, and FCS.

3. Minimum Ethernet frame size is 64 bytes, and the maximum (without jumbo frames) is 1518 bytes.

4. Wireshark allows you to analyze real Ethernet frames.

5. Scapy enables custom frame creation and transmission.

Keywords

Ethernet frame, MAC address, Preamble, Start Frame Delimiter, SFD, EtherType, Payload, Frame Check Sequence, FCS, Cyclic Redundancy Check, CRC, network packet, data link layer, IEEE 802.3, Wireshark, Scapy, broadcast frame, unicast frame, multicast frame, minimum frame size, نتورک پلاس