8

In the IEEE 802.11 protocol, in the link frame, the second address is the sender MAC address, and the first address is the receiver MAC address, which is the AP address if the sender is a station, and the destination station if the sender is the AP.

So in my case, since I am sniffing the packets with Wireshark from my perspective, if I send ICMP for example, I should see my MAC address as the second address, and the AP MAC address as the first address.

But:

Enter image description here

The source address is my machine. The destination address is my phone, which is the device I was giving the ICMP packets to. The same thing in reverse in the response packet.

Also the link layer shows as "Ethernet", but I am connected via Wi-Fi, so it should appear IEEE 802.11, but I have seen here that Wi-Fi interfaces often present themselves as Ethernet interfaces, so they present Ethernet translated packets, to make it easy for the OS to manage them, or something like that...

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
Allexj
  • 220
  • 1
  • 8

1 Answers1

19

You're seeing an emulated Ethernet header that's provided by the OS (or by the Wi-Fi adapter's firmware; I am not quite sure which).

The real 802.11 header is deliberately hidden from you, and the link type always says "Ethernet" – it's not the OS trying to make management simpler; it's because the specification says so. Per the 802.11 specification, Wi-Fi interfaces are supposed to present an 802.3-compatible link layer to the upper layers, to allow it to be directly bridged to an actual Ethernet, even though they use something more complex under the hood. (I think it's not too different from using a "media converter" for other "Ethernet over XYZ" technologies like HomePlug or ADSL.)

To see the real 802.11 header that's being sent/received, you'll have to enable "monitor mode" for Wireshark. In it there would be three MAC addresses – sender, receiver, and AP.

(The station is assumed to be either the sender or the receiver. However, there exists a "4-address" mode for wireless bridging aka WDS, where you have source, destination, AP, and station MAC addresses all in the same frame.)

In the IEEE 802.11 protocol, in the link frame, the second address is the sender MAC address, and the first address is the receiver MAC address, which is the AP address if the sender is a station, and the destination station if the sender is the AP.

No, not quite like that.

Wi-Fi access points are bridges, and like wired switches they're meant to be invisible at the link layer. If the sender is a station, the destination is not the AP – it's the actual destination host's MAC address, because how else would the bridge know where to deliver the packet? It doesn't look at the IP header; that's what routers do.

(Unless, of course, the destination is a router that's the same device as the AP, in which case the destination MAC address will typically be very similar to the AP's BSSID, sometimes even the same, or only differing in a single bit. This may be the common case when accessing the Internet over a home gateway – but don't draw assumptions from it.)

The real 802.11 header does carry the AP's MAC address as well, but in a third field separately from the original sender and recipient. If you enable "monitor mode" to capture 802.11 frames, you'll see that frames from a station have two destination MAC addresses.

(Though don't get confused by Wireshark's dissector, which shows the same fields twice under two different names – some of them actually correspond to the same bytes.)

Peter Mortensen
  • 12,090
  • 23
  • 70
  • 90
u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • wow thanks A LOT for your answer! very clarifying. One question: in Ethernet frames, the switches are REALLY invisible, because switch's mac address never shows. But in wireless AP, it's not invisible, because as you said, it shows in the third address, right? so they are not really invisible like they were the switches – Allexj Dec 31 '21 at 09:52
  • 2
    They still are invisible *as far as the upper layers are concerned,* because the "higher" layers such as IP do not specifically address a frame to the AP (remember, they don't even see this 3rd field nor the rest of the 802.11 header – they only deal with the emulated Ethernet link), the 3rd address remains confined within the lower half of the link layer, it doesn't show in neighbor tables, it doesn't show in ARP responses, your TCP/IP stack just specifies the target host as the "destination MAC". – u1686_grawity Dec 31 '21 at 10:09
  • 1
    yeah, I know that, the APs are just level 2 so the upper layers are untouched. But they are not really invisible because if i am in monitor mode and sniff 802.11, I can "catch" the third address in the frame, which is the AP address. I can't do this with a switch via Ethernet cable, and the mac address of the switch nevers shows up, right? – Allexj Dec 31 '21 at 10:21
  • 2
    Sure, but that is not the point at all. It doesn't matter whether it's visible to the machine in general. What I was trying to say is that it's invisible at the link layer *that it provides;* as long as it achieves that, it doesn't matter how that's done underneath. (I think diagrams would often show this as two halves, "upper L2" which is the emulated Ethernet and "lower L2" which is the raw 802.11 link.) – u1686_grawity Dec 31 '21 at 10:33
  • thanks a lot !!!! – Allexj Dec 31 '21 at 16:29
  • @Allexj You can do the equivalent thing with a switch via Ethernet cable. If you had a monitor *on the link to the switch* you would see that the packet is on the physical cable *that goes to the switch*, not to the device. So if you look in the right place, you will see that the packet is bound for the switch. What the "right place" is, of course, differs slightly. – David Schwartz Dec 31 '21 at 22:01
  • It is also possible to send wifi frames directly between stations, then the 3rd and 4th MAC address fields in the 802.11 frame would go unused. – Simon Richter Jan 02 '22 at 04:01