Ask Your Question
0

Why if I am connected via WiFi and send a packet to another device in the same WiFi, the dest MAC in link layer is not the AP's?

asked 2021-12-31 08:39:46 +0000

allexj gravatar image

In IEEE 802.11 protocol, in the link frame, the second address is the sender mac address, and the first address is the receiver mac address, which is the AP address if the sender is a station, and the destination station if the sender is the AP.

So in my case, since I am sniffing the packets with Wireshark from my perspective, if I send ICMP for example, I should see my mac as the second address, and the AP mac as the first address.

But:

enter image description here

The Src address is my machine. The Dst address is my phone, which is the device I was giving the ICMP packets to. The same thing in reverse in the response packet.

Also the link layer shows as "Ethernet", but I am connected via wifi, so it should appear IEEE 802.11, but I have seen here that wifi interfaces often present themselves as Ethernet interfaces, so they present Ethernet translated packets, to make it easy for the OS to manage them, or something like that...

edit retag flag offensive close merge delete
add a comment

2 Answers

Sort by ยป oldest newest most voted
0

answered 2022-01-01 19:48:51 +0000

Guy Harris gravatar image

Also the link layer shows as "Ethernet", but I am connected via wifi, so it should appear IEEE 802.11, but I have seen here that wifi interfaces often present themselves as Ethernet interfaces, so they present Ethernet translated packets, to make it easy for the OS to manage them, or something like that...

Yes.

So, unless, as Jaap suggests, you capture in monitor mode, that's what the interface and its driver will do. You won't see 802.11 headers, which means you won't see the "receiver address" or "transmitter address"; if a frame is transmitted from a station with the MAC address XX:XX:XX:XX:XX:XX to a station with the MAC address YY:YY:YY:YY:YY:YY, the source address will be XX:XX:XX:XX:XX:XX and the destination address will be YY:YY:YY:YY:YY:YY, even though the frame may initially be sent to an AP with the MAC address ZZ:ZZ:ZZ:ZZ:ZZ:ZZ - ZZ:ZZ:ZZ:ZZ:ZZ:ZZ will be the "receiver address" of the frame, but YY:YY:YY:YY:YY will be the destination address of the frame.

edit flag offensive delete link more

Comments

thanks !

allexj gravatar imageallexj ( 2022-01-02 21:11:30 +0000 )edit
add a comment
0

answered 2021-12-31 09:38:37 +0000

Jaap gravatar image

That's what Monitor mode in the capture options is for.

edit flag offensive delete link more

Comments

ok thx x

allexj gravatar imageallexj ( 2022-01-02 21:11:35 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2021-12-31 08:39:46 +0000

Seen: 236 times

Last updated: Jan 01 '22

Related questions

Detect non-connected devices in range of WiFi (for counting purposes)

what is the capture/display filter to get RSSI information of WiFi users?

What is the difference between wlan.duration and wlan_radio.duration

File upload stalling, many "bad" TCP packages

Why do I get an error when setting monitor mode if the interface is monitor mode capable?

When/why would a device send a frame with ethertype 0x86dd (IPv6) but it's actually an IPv4 packet?

name resolution

Decode G.722 on Mac

How to capture ethernet traffic?

Data packets not captured

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2