Ask Your Question
0

Missing MAC addresses in pcap.

asked 2023-06-02 13:42:17 +0000

chronicinquiry gravatar image

Recently all of my clients have been sending pcaps that appear to be missing MAC addresses. I'll have 10 MAC and 100 IPs. At first I thought maybe this was a user error at the time of collection and they were filtering out Layer 2, but it's started happening all of the sudden, among different clients, using different switch vendors.

I am starting to wonder if a new Wireshark update might have changed some default capture settings. Has anyone else experienced this?

edit retag flag offensive close merge delete

Comments

What do you mean by "missing MACs"? How have you determined the MAC address is missing?

grahamb gravatar imagegrahamb ( 2023-06-02 13:44:39 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2023-06-02 15:23:32 +0000

chronicinquiry gravatar image

When I go to Statistics > Endpoint, there aren't MAC addresses for every IP. I think I figured it out. They are collecting the traffic that has passed through a router, so the MACs have been dropped.

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2023-06-02 13:42:17 +0000

Seen: 548 times

Last updated: Jun 02 '23

Related questions

Why do I see Ethernet frames that exceed the MTU + Ethernet header size?

Why if I am connected via WiFi and send a packet to another device in the same WiFi, the dest MAC in link layer is not the AP's?

When/why would a device send a frame with ethertype 0x86dd (IPv6) but it's actually an IPv4 packet?

name resolution

Decode G.722 on Mac

How to capture ethernet traffic?

Error on Mac! Could not create profiles directory? Help!

Cannot access Ethernet interfaces with Wireshark Portable unless I install full WinPCap?

Detect non-connected devices in range of WiFi (for counting purposes)

How to see the FCS in Ethernet frames?