Missing MAC addresses in pcap.

asked 2023-06-02 13:42:17 +0000

chronicinquiry gravatar image

Recently all of my clients have been sending pcaps that appear to be missing MAC addresses. I'll have 10 MAC and 100 IPs. At first I thought maybe this was a user error at the time of collection and they were filtering out Layer 2, but it's started happening all of the sudden, among different clients, using different switch vendors.

I am starting to wonder if a new Wireshark update might have changed some default capture settings. Has anyone else experienced this?

What do you mean by "missing MACs"? How have you determined the MAC address is missing?

grahamb gravatar imagegrahamb ( 2023-06-02 13:44:39 +0000 )edit

answered 2023-06-02 15:23:32 +0000

chronicinquiry gravatar image

When I go to Statistics > Endpoint, there aren't MAC addresses for every IP. I think I figured it out. They are collecting the traffic that has passed through a router, so the MACs have been dropped.

Asked: 2023-06-02 13:42:17 +0000

Seen: 365 times

Last updated: Jun 02