What is responsible for dropping Layer 2 frames that's not addressed to it?
It's my understanding that if a network interface card (NIC) receives a Layer 1 packet, it will extract the Layer 2 frame from it, checks its destination MAC address, and if it is not addressed to it (or it's not a broadcast or multicast), it will drop it.
Is my understanding correct? If so, which component inside the NIC is responsible for this function? And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
mac-address interface packet-analysis
asked 18 hours ago
dayulolidayuloli
1234
New contributor
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
It's my understanding that if a network interface card (NIC) receives a Layer 1 packet, it will extract the Layer 2 frame from it, checks its destination MAC address, and if it is not addressed to it (or it's not a broadcast or multicast), it will drop it.
Is my understanding correct? If so, which component inside the NIC is responsible for this function? And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
mac-address interface packet-analysis
asked 18 hours ago
dayulolidayuloli
1234
New contributor
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Personally, for the purposes of network analysis via wireshark in these situations I prefer to use a port mirror or dedicated wireshark capture device. They can be had cheaply with USB interface and dump pcap files for you to analyze. I have never had much luck having consistent performance with promiscuous mode, especially if multiple virtualization layers are involved.
– crasic
7 hours ago
add a comment |
It's my understanding that if a network interface card (NIC) receives a Layer 1 packet, it will extract the Layer 2 frame from it, checks its destination MAC address, and if it is not addressed to it (or it's not a broadcast or multicast), it will drop it.
Is my understanding correct? If so, which component inside the NIC is responsible for this function? And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
mac-address interface packet-analysis
asked 18 hours ago
dayulolidayuloli
1234
New contributor
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
It's my understanding that if a network interface card (NIC) receives a Layer 1 packet, it will extract the Layer 2 frame from it, checks its destination MAC address, and if it is not addressed to it (or it's not a broadcast or multicast), it will drop it.
Is my understanding correct? If so, which component inside the NIC is responsible for this function? And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
mac-address interface packet-analysis
mac-address interface packet-analysis
asked 18 hours ago
dayulolidayuloli
1234
New contributor
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 18 hours ago
dayulolidayuloli
1234
New contributor
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 18 hours ago
dayulolidayuloli
1234
New contributor
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 18 hours ago
dayulolidayuloli
1234
asked 18 hours ago
dayulolidayuloli
1234
1234
New contributor
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
dayuloli is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Personally, for the purposes of network analysis via wireshark in these situations I prefer to use a port mirror or dedicated wireshark capture device. They can be had cheaply with USB interface and dump pcap files for you to analyze. I have never had much luck having consistent performance with promiscuous mode, especially if multiple virtualization layers are involved.
– crasic
7 hours ago
add a comment |
Personally, for the purposes of network analysis via wireshark in these situations I prefer to use a port mirror or dedicated wireshark capture device. They can be had cheaply with USB interface and dump pcap files for you to analyze. I have never had much luck having consistent performance with promiscuous mode, especially if multiple virtualization layers are involved.
– crasic
7 hours ago
Personally, for the purposes of network analysis via wireshark in these situations I prefer to use a port mirror or dedicated wireshark capture device. They can be had cheaply with USB interface and dump pcap files for you to analyze. I have never had much luck having consistent performance with promiscuous mode, especially if multiple virtualization layers are involved.
– crasic
7 hours ago
Personally, for the purposes of network analysis via wireshark in these situations I prefer to use a port mirror or dedicated wireshark capture device. They can be had cheaply with USB interface and dump pcap files for you to analyze. I have never had much luck having consistent performance with promiscuous mode, especially if multiple virtualization layers are involved.
– crasic
7 hours ago
add a comment |
3 Answers
3
active
oldest
votes
The details of this are highly dependent on the hardware, but your description is correct: for many years now it is normally the network interface card which discards the frames which don't match the MAC address. This is an improvement from the old days, where every frame would interrupt the CPU which had to do this task.
In practice, every NIC can also be put into "promiscuous mode", where it will accept every frame. How this is done depends on the hardware, and therefore the operating system. If you're writing a program to do this in the manner of Wireshark, you'll find much help with the pcap library, but it's possible on Linux with raw sockets directly in promiscuous mode. All this would be a subject for https://stackoverflow.com/questions/tagged/pcap or https://stackoverflow.com/questions/tagged/promiscuous-mode
Additionally, most NIC hardware will accept other frames: broadcasts, "magic packets" for waking the CPU etc, and discard those with bad frame check sequence. The details are specific to each kind of NIC, but as an example, here are the facilities of one of the simplest ethernet interface chips, Microchip's ENC28J60, which describes its filters as follows:
8.0 RECEIVE FILTERS
To minimize the processing requirements of the host
controller, the ENC28J60 incorporates several different
receive filters which can automatically reject packets
which are not needed. Six different types of packet
filters are implemented: Unicast,
Pattern Match,
Magic Packet,
Hash Table,
Multicast,
Broadcast.
(From datasheet.)
I'd have just called this rather generically the "receive filtering unit" or "receive filter process".
answered 17 hours ago
jonathanjojonathanjo
11.2k1934
add a comment |
Is there a way to configure the NIC to not drop these frames and pass
them through (e.g. for further analysis on Wireshark)?
Most NICs can be placed in "promiscuous" mode which will make them accept all frames, not just the ones addressed to it. The details depend on the NIC driver and operating system.
answered 17 hours ago
Ron TrunkRon Trunk
35.3k33372
And, Wireshark normally does this automatically. There's a checkbox.
– immibis
9 hours ago
add a comment |
Is my understanding correct?
Yes.
If so, which component inside the NIC is responsible for this function?
Not sure if it has a specific name.
And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
Yes, this is known as "promiscuous mode", packet capture tools will often enable this by default.
However note that modern Ethernet networks use Switches rather than hubs. So in most cases frames not addressed to your computer will not reach your computer's NIC at all.
answered 17 hours ago
Peter GreenPeter Green
7,47621226
Intelligent switches generally allow a port to be put into "monitor mode", which causes all frames to be forwarded to that port. You would do this on the port connected to the PC where you're running the packet capture.
– Barmar
13 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "496"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
dayuloli is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f56193%2fwhat-is-responsible-for-dropping-layer-2-frames-thats-not-addressed-to-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
The details of this are highly dependent on the hardware, but your description is correct: for many years now it is normally the network interface card which discards the frames which don't match the MAC address. This is an improvement from the old days, where every frame would interrupt the CPU which had to do this task.
In practice, every NIC can also be put into "promiscuous mode", where it will accept every frame. How this is done depends on the hardware, and therefore the operating system. If you're writing a program to do this in the manner of Wireshark, you'll find much help with the pcap library, but it's possible on Linux with raw sockets directly in promiscuous mode. All this would be a subject for https://stackoverflow.com/questions/tagged/pcap or https://stackoverflow.com/questions/tagged/promiscuous-mode
Additionally, most NIC hardware will accept other frames: broadcasts, "magic packets" for waking the CPU etc, and discard those with bad frame check sequence. The details are specific to each kind of NIC, but as an example, here are the facilities of one of the simplest ethernet interface chips, Microchip's ENC28J60, which describes its filters as follows:
8.0 RECEIVE FILTERS
To minimize the processing requirements of the host
controller, the ENC28J60 incorporates several different
receive filters which can automatically reject packets
which are not needed. Six different types of packet
filters are implemented: Unicast,
Pattern Match,
Magic Packet,
Hash Table,
Multicast,
Broadcast.
(From datasheet.)
I'd have just called this rather generically the "receive filtering unit" or "receive filter process".
answered 17 hours ago
jonathanjojonathanjo
11.2k1934
add a comment |
The details of this are highly dependent on the hardware, but your description is correct: for many years now it is normally the network interface card which discards the frames which don't match the MAC address. This is an improvement from the old days, where every frame would interrupt the CPU which had to do this task.
In practice, every NIC can also be put into "promiscuous mode", where it will accept every frame. How this is done depends on the hardware, and therefore the operating system. If you're writing a program to do this in the manner of Wireshark, you'll find much help with the pcap library, but it's possible on Linux with raw sockets directly in promiscuous mode. All this would be a subject for https://stackoverflow.com/questions/tagged/pcap or https://stackoverflow.com/questions/tagged/promiscuous-mode
Additionally, most NIC hardware will accept other frames: broadcasts, "magic packets" for waking the CPU etc, and discard those with bad frame check sequence. The details are specific to each kind of NIC, but as an example, here are the facilities of one of the simplest ethernet interface chips, Microchip's ENC28J60, which describes its filters as follows:
8.0 RECEIVE FILTERS
To minimize the processing requirements of the host
controller, the ENC28J60 incorporates several different
receive filters which can automatically reject packets
which are not needed. Six different types of packet
filters are implemented: Unicast,
Pattern Match,
Magic Packet,
Hash Table,
Multicast,
Broadcast.
(From datasheet.)
I'd have just called this rather generically the "receive filtering unit" or "receive filter process".
answered 17 hours ago
jonathanjojonathanjo
11.2k1934
add a comment |
The details of this are highly dependent on the hardware, but your description is correct: for many years now it is normally the network interface card which discards the frames which don't match the MAC address. This is an improvement from the old days, where every frame would interrupt the CPU which had to do this task.
In practice, every NIC can also be put into "promiscuous mode", where it will accept every frame. How this is done depends on the hardware, and therefore the operating system. If you're writing a program to do this in the manner of Wireshark, you'll find much help with the pcap library, but it's possible on Linux with raw sockets directly in promiscuous mode. All this would be a subject for https://stackoverflow.com/questions/tagged/pcap or https://stackoverflow.com/questions/tagged/promiscuous-mode
Additionally, most NIC hardware will accept other frames: broadcasts, "magic packets" for waking the CPU etc, and discard those with bad frame check sequence. The details are specific to each kind of NIC, but as an example, here are the facilities of one of the simplest ethernet interface chips, Microchip's ENC28J60, which describes its filters as follows:
8.0 RECEIVE FILTERS
To minimize the processing requirements of the host
controller, the ENC28J60 incorporates several different
receive filters which can automatically reject packets
which are not needed. Six different types of packet
filters are implemented: Unicast,
Pattern Match,
Magic Packet,
Hash Table,
Multicast,
Broadcast.
(From datasheet.)
I'd have just called this rather generically the "receive filtering unit" or "receive filter process".
answered 17 hours ago
jonathanjojonathanjo
11.2k1934
The details of this are highly dependent on the hardware, but your description is correct: for many years now it is normally the network interface card which discards the frames which don't match the MAC address. This is an improvement from the old days, where every frame would interrupt the CPU which had to do this task.
In practice, every NIC can also be put into "promiscuous mode", where it will accept every frame. How this is done depends on the hardware, and therefore the operating system. If you're writing a program to do this in the manner of Wireshark, you'll find much help with the pcap library, but it's possible on Linux with raw sockets directly in promiscuous mode. All this would be a subject for https://stackoverflow.com/questions/tagged/pcap or https://stackoverflow.com/questions/tagged/promiscuous-mode
Additionally, most NIC hardware will accept other frames: broadcasts, "magic packets" for waking the CPU etc, and discard those with bad frame check sequence. The details are specific to each kind of NIC, but as an example, here are the facilities of one of the simplest ethernet interface chips, Microchip's ENC28J60, which describes its filters as follows:
8.0 RECEIVE FILTERS
To minimize the processing requirements of the host
controller, the ENC28J60 incorporates several different
receive filters which can automatically reject packets
which are not needed. Six different types of packet
filters are implemented: Unicast,
Pattern Match,
Magic Packet,
Hash Table,
Multicast,
Broadcast.
(From datasheet.)
I'd have just called this rather generically the "receive filtering unit" or "receive filter process".
answered 17 hours ago
jonathanjojonathanjo
11.2k1934
edited 17 hours ago
answered 17 hours ago
jonathanjojonathanjo
11.2k1934
answered 17 hours ago
jonathanjojonathanjo
11.2k1934
answered 17 hours ago
jonathanjojonathanjo
11.2k1934
11.2k1934
add a comment |
add a comment |
Is there a way to configure the NIC to not drop these frames and pass
them through (e.g. for further analysis on Wireshark)?
Most NICs can be placed in "promiscuous" mode which will make them accept all frames, not just the ones addressed to it. The details depend on the NIC driver and operating system.
answered 17 hours ago
Ron TrunkRon Trunk
35.3k33372
And, Wireshark normally does this automatically. There's a checkbox.
– immibis
9 hours ago
add a comment |
Is there a way to configure the NIC to not drop these frames and pass
them through (e.g. for further analysis on Wireshark)?
Most NICs can be placed in "promiscuous" mode which will make them accept all frames, not just the ones addressed to it. The details depend on the NIC driver and operating system.
answered 17 hours ago
Ron TrunkRon Trunk
35.3k33372
And, Wireshark normally does this automatically. There's a checkbox.
– immibis
9 hours ago
add a comment |
Is there a way to configure the NIC to not drop these frames and pass
them through (e.g. for further analysis on Wireshark)?
Most NICs can be placed in "promiscuous" mode which will make them accept all frames, not just the ones addressed to it. The details depend on the NIC driver and operating system.
answered 17 hours ago
Ron TrunkRon Trunk
35.3k33372
Is there a way to configure the NIC to not drop these frames and pass
them through (e.g. for further analysis on Wireshark)?
Most NICs can be placed in "promiscuous" mode which will make them accept all frames, not just the ones addressed to it. The details depend on the NIC driver and operating system.
answered 17 hours ago
Ron TrunkRon Trunk
35.3k33372
answered 17 hours ago
Ron TrunkRon Trunk
35.3k33372
answered 17 hours ago
Ron TrunkRon Trunk
35.3k33372
answered 17 hours ago
Ron TrunkRon Trunk
35.3k33372
35.3k33372
And, Wireshark normally does this automatically. There's a checkbox.
– immibis
9 hours ago
add a comment |
And, Wireshark normally does this automatically. There's a checkbox.
– immibis
9 hours ago
And, Wireshark normally does this automatically. There's a checkbox.
– immibis
9 hours ago
And, Wireshark normally does this automatically. There's a checkbox.
– immibis
9 hours ago
add a comment |
Is my understanding correct?
Yes.
If so, which component inside the NIC is responsible for this function?
Not sure if it has a specific name.
And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
Yes, this is known as "promiscuous mode", packet capture tools will often enable this by default.
However note that modern Ethernet networks use Switches rather than hubs. So in most cases frames not addressed to your computer will not reach your computer's NIC at all.
answered 17 hours ago
Peter GreenPeter Green
7,47621226
Intelligent switches generally allow a port to be put into "monitor mode", which causes all frames to be forwarded to that port. You would do this on the port connected to the PC where you're running the packet capture.
– Barmar
13 hours ago
add a comment |
Is my understanding correct?
Yes.
If so, which component inside the NIC is responsible for this function?
Not sure if it has a specific name.
And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
Yes, this is known as "promiscuous mode", packet capture tools will often enable this by default.
However note that modern Ethernet networks use Switches rather than hubs. So in most cases frames not addressed to your computer will not reach your computer's NIC at all.
answered 17 hours ago
Peter GreenPeter Green
7,47621226
Intelligent switches generally allow a port to be put into "monitor mode", which causes all frames to be forwarded to that port. You would do this on the port connected to the PC where you're running the packet capture.
– Barmar
13 hours ago
add a comment |
Is my understanding correct?
Yes.
If so, which component inside the NIC is responsible for this function?
Not sure if it has a specific name.
And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
Yes, this is known as "promiscuous mode", packet capture tools will often enable this by default.
However note that modern Ethernet networks use Switches rather than hubs. So in most cases frames not addressed to your computer will not reach your computer's NIC at all.
answered 17 hours ago
Peter GreenPeter Green
7,47621226
Is my understanding correct?
Yes.
If so, which component inside the NIC is responsible for this function?
Not sure if it has a specific name.
And is there a way to configure the NIC to not drop these frames and pass them through (e.g. for further analysis on Wireshark)?
Yes, this is known as "promiscuous mode", packet capture tools will often enable this by default.
However note that modern Ethernet networks use Switches rather than hubs. So in most cases frames not addressed to your computer will not reach your computer's NIC at all.
answered 17 hours ago
Peter GreenPeter Green
7,47621226
answered 17 hours ago
Peter GreenPeter Green
7,47621226
answered 17 hours ago
Peter GreenPeter Green
7,47621226
answered 17 hours ago
Peter GreenPeter Green
7,47621226
7,47621226
Intelligent switches generally allow a port to be put into "monitor mode", which causes all frames to be forwarded to that port. You would do this on the port connected to the PC where you're running the packet capture.
– Barmar
13 hours ago
add a comment |
Intelligent switches generally allow a port to be put into "monitor mode", which causes all frames to be forwarded to that port. You would do this on the port connected to the PC where you're running the packet capture.
– Barmar
13 hours ago
Intelligent switches generally allow a port to be put into "monitor mode", which causes all frames to be forwarded to that port. You would do this on the port connected to the PC where you're running the packet capture.
– Barmar
13 hours ago
Intelligent switches generally allow a port to be put into "monitor mode", which causes all frames to be forwarded to that port. You would do this on the port connected to the PC where you're running the packet capture.
– Barmar
13 hours ago
add a comment |
dayuloli is a new contributor. Be nice, and check out our Code of Conduct.
dayuloli is a new contributor. Be nice, and check out our Code of Conduct.
dayuloli is a new contributor. Be nice, and check out our Code of Conduct.
dayuloli is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Network Engineering Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fnetworkengineering.stackexchange.com%2fquestions%2f56193%2fwhat-is-responsible-for-dropping-layer-2-frames-thats-not-addressed-to-it%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Personally, for the purposes of network analysis via wireshark in these situations I prefer to use a port mirror or dedicated wireshark capture device. They can be had cheaply with USB interface and dump pcap files for you to analyze. I have never had much luck having consistent performance with promiscuous mode, especially if multiple virtualization layers are involved.
– crasic
7 hours ago