Wireshark doesn't show Ethernet Broadcast Destination Address

0
votes

If I send broadcast packets over my Ethernet, that means that the destination Ethernet address is set to 0xffffffffffff. When I look at the sent packets in Wireshark, however, the part of the packet where the eth destination should be is never 0xffffffffffff, and is instead something else.

Here's a screenshot:

enter image description here

The highlighted portion should be the eth destination, eth source, and frame type. I see the eth source and frame type, but the eth destination is not 0xffffffffffff as I expect it to be for a broadcast, and in fact doesn't seem to be a valid destination mac address at all. Can anyone explain this?

2
networkingnetwork-programmingwiresharkbroadcastpacket

2 Answers

3
votes

The "Linux Cooked Capture" is a really big hint to what's wrong. From the Wireshark wiki:

When capturing from the "any" device, or from one of those other devices, in Linux, the libpcap doesn't supply the link-layer header for the real "hardware protocol" like Ethernet, but instead supplies a fake link-layer header for this pseudo-protocol.

So, you may want to ensure that you have sniffing privileges and then specify an interface rather than relying on a capture from "Any"

0
votes

The capture seems to be a processed packet. In order to see the destination MAC address you'd need a raw capture showing the full frame - the destination MAC precedes the source MAC.