There are a lot of components to the Ethernet specification which I am not going to cover here, such as physical design, wiring, collision handling, etc. Rather, I'm going to focus on the aspects of Ethernet which you actually see with a packet analyzer, namely Ethernet addressing and protocol types. I will also provide a brief overview of Ethernet hubs and switches as they play a critical role in determining where to insert an analyzer so that you can actually monitor the traffic that you want to see.
Note: There are actually several different Ethernet packet formats, however, the most common is called Ethernet II (aka Ethernet_V2) so we'll cover just that format for now.
An Ethernet II packet consists of three components: a 6 octect (byte) destination address, a 6 octect source address, and a 2 octect type:
Ethernet II
Destination: XX:XX:XX:XX:XX:XX
Source: XX:XX:XX:XX:XX:XX
Type: XX:XX
Ethernet addresses are often referenced using one of more of the following terms:
From this point forward I'll use the term MAC address as this is term used in the Ethernet specification documents.
There are four types of MAC addresses:
| MAC Type | Address range |
| Globally Unique | *0-**-**-**-**-** *4-**-**-**-**-** *8-**-**-**-**-** *C-**-**-**-**-** |
| Locally Administered | *2-**-**-**-**-** *6-**-**-**-**-** *A-**-**-**-**-** *E-**-**-**-**-** |
| Multicast | *1-**-**-**-**-** *3-**-**-**-**-** *5-**-**-**-**-** *7-**-**-**-**-** *9-**-**-**-**-** *B-**-**-**-**-** *D-**-**-**-**-** *F-**-**-**-**-** Note: except broadcast address |
| Broadcast | FF-FF-FF-FF-FF-FF |
Globally unique addresses are allocated by the IEEE in blocks containing 2^24 (16,777,216) addresses. In each allocation, the first 3 octects are fixed (e.g. 00-00-0C is Cisco) and the last three octects are variable (e.g. 00-00-00 through FF-FF-FF). The fixed portion of the allocation is known formally as the Organizationally Unique Identifier (OUI), and infomally as the Ethernet Vendor ID. Often, the OUI portion of a MAC address is extremely helpful in indentifying which physical piece of equipment is generating a particular packet.
When an Ethernet adapter or interface is manufactured it is assigned a unique Global address which usually stored in some kind of read-only memory (ROM). When an operating system initializes its Ethernet device drivers, it reads the Global address from the adapter's ROM and stores in it system memory. From that point forward, all packets sent from the device will have a source MAC address equal to the Global address stored on the adapter.
When an Ethernet adapter receives a packet from the network, it compares the destination address to its own MAC address. If (and only if) there is a match, the adapter passes the packet on to the operating system for further processing. If there is no match, the packet is discarded. This creates an interesting challenge for protocol analysis, as we often want to monitor ALL packets on a network, not just those that match the MAC address of our Ethernet adapter. Fortunately, most Ethernet adapters support an option known as 'promiscuous mode'. When promiscuous mode is activated, the adapter forwards ALL packets it receives to the operating system, thus enabling a packet analyzer to see all traffic as well.
You can lookup which vendor was allocated a particular OUI using the following search page: IEEE OUI Search (Enter OUI as XX-XX-XX)
Unfortunately, OUIs don't always properly identify actual equipment vendor. Often it identifies who manufactured the Ethernet adapter. For example, some SonicWalls contain Ethernet adapters with a Cisco OUI. Vendors are also allowed to sub-delagate portions of their OUI allocations to other manufacturers--these sub-delagations are undocumented. Lastly, some OUI allocations are kept private and not published by the IEEE.
Locally administered addresses (LAA) are MAC addresses which have the second least significant bit (LSB) of the first octect is set to '1' (for example, 'xxxxxx1x'. LAA enable administrators to assign MAC addresses using their own scheme. When an LAA is assigned, it overrides the in-memory copy of the Global address during driver initialization. So the burned-in address on the Ethernet adapter is never actually changed, only the in-memory copy. LAA create the possibility of assigning duplicate MAC addresses, which makes for some very interesting network problems. Fortunately, they are rarely used in Ethernet environments, but are fairly popular in Token Ring networks.
Multicast addresses are MAC addresses which have the LSB of the first octect set to '1'. Ethernet multicast addressing is used by protocols which require efficient communciation among groups of hosts. For example, router advertisements, bridge spanning tree announcements, audio/video multicasting, Internet Group Management Protocol (IGMP RFC), etc..
By default, an Ethernet adapter will discard all traffic with a destination multicast address, unless it has specifically enabled that address for reception. For example, if you enable Microsoft Networking using Netbuei, the multicast address 03-00-00-00-00-01 will be activated on your Ethernet adapter. This will enable you to process and receive Netbios name registrations which are multicasted by other hosts that are configured for File and Print Sharing using Netbeui.
Don't worry about multicast too much as will account for very little (if any) of the traffic on your network.
For a list of common multicast addresses see: Ethernet multicast addresses
Broadcast address is a special case where all bits of the MAC address are set to '1' (e.g. FF-FF-FF-FF-FF-FF ).
When an adapter receives a packet with a destination broadcast address, it always passes it to the operating system for further processing.
Broadcasts are key to many important protocols as it enables a host to communicate with ALL hosts on the local network, even if it doesn't know the target host's specific MAC addresses. This enables a Microsoft Networking enabled host to advertise its Netbios name to the entire network with one (broadcast) packet. A client who wants to determine the MAC address of a particular IP host, sends an ARP (Address Resolution Protocol) broadcast. Routers advertise their routing tables to other routers using RIP (Routing Information Protocol) broadcasts...and the list goes on. Don't worry, we'll get into the specifics of each of these protocols later, for now its just important to understand why broadcasts are used.
Broadcasts can also be particularly dangerous. Since ALL hosts on a network have to process a broadcast packet, a high rate of broadcasts can sap CPU processing from all the hosts on your network. Additionally, broadcast packets must be forwarded to every port of an Ethernet switch, thus heavy broadcast traffic can bog down network equipment as well.
The following table illustrates which address types are valid source and destinations:
| Valid Use | MAC Type |
| Source address | Globally Unique Locally Administered |
| Destination address | Globally Unique Locally Administered Multicast Broadcast |
The next two bytes of an Ethernet packet indicates which higher level protocol is contained in the packet.
Some common Ethernet types are as follows:
| Ethernet Type | Description |
| 0800 | Internet Protocol (IP) |
| 0806 | Address Resolution Protocol (ARP) |
A more comprehensive list of Ethernet types as available here: Ethernet type codes
There are a variety of devices which you can use to build a network: hubs, switches, dual-speed hubs, routers with integrated hubs or switches, etc. Though these devices physically look similar, their internal operation is dramatically different and has a profound impact on how and where you insert your analyzer.
A hub is a device with multiple Ethernet ports. Internally, these ports are connected together by a simple bit repeater. Every bit that is received on one port, is repeated to EVERY other port...no exceptions:
If our goal is to monitor traffic between two hosts (connected to hub ports #5 and #7) we can connect the analyzer to port #3 and will see the desired conversation with no problem.
An Ethernet switch is an entirely different beast. A switch learns which port each host MAC address is connected to. When the switch receives a packet destinated for a specific MAC address it knows about, the packet is forwarded ONLY to that port. So if our goal is to monitor traffic between hosts connected to switch ports #5 and #7, hooking up an analyzer to port #3 of the switch would not be very useful.A switch does forward multicast and broadcast traffic to EVERY port (a process known as flooding). So if you connect an analyzer to a switch, often all you'll see is background ARP and Netbios broadcast traffic. So if you're not sure if you have a hub or a switch, if all you see is broadcasts, you have a switch.
Stay tuned, we'll discuss how to work-around the switch problem in minute.
Another common device are dual-speed hubs. Architectually, these are really TWO independent hubs (one for 10Mbps hosts and one for 100Mbps hosts) connected together by a two-port switch:
When connecting your analyzer you need to pay close attention to what speed your are connecting at, otherwise, you may not be able to see the traffic you want to. For example, if we connect to the dual-speed hub at 10Mbps, we'll only be able to see the traffic between 10Mbps hosts (e.g. PC#1 and PC#2) AND traffic being exchanged between a 10Mbps and a 100Mbps host (e.g. PC#2 talking to PC#3). However, we will be totally blind to traffic between 100Mbps hosts (e.g. PC#3 talking to PC#4).
In order to monitor comunication between PC#3 and PC#4, we'd have to reconfigure the analyzer to connect to the hub at 100Mbps. Also, remember that many Cable/DSL routers only support 10Mbps. If connect such a device to a dual-speed hub, make sure you configure your analyzer for 10Mbps as well.
The ever popular Cable/DSL routers (e.g. Linksys, Netgear, Dlink, etc.) also complicate the packet analysis process. These devices have an integral 4 or 8 port switch. Then there is typically a Wide-area Network (WAN) port which connects to a Cable or DSL modem. A network address translation (NAT) engine sits between the WAN port and the switch. Whether we want to monitor the WAN or local communication, there's no useful place to jack into the network. If we just plug into one of the switch ports, all we're going to see is background broadcast traffic. We're completely blind to any DHCP, PPPoE or security attacks which will only occur on the WAN port.
The first step to resolving this problem is to insert a hub between the WAN port on the router and the Cable/DSL modem. Then you can connect an analyzer to this hub to monitor WAN communication. Or even better, install a second Ethernet adapter in our analyzer and dedicate it to WAN analysis. Best Buy and CompUSA are loving me now.
For true flexibility, we then install a second hub between the router and our hosts. Now our one analyzer can monitor both LAN and WAN communications (sadly not simultaneously).
