Networking Deep Dive
by Sergey Okinchuk
Chapter 2: The Link LayerSwitches and the Forwarding Table
Ethernet Frames and MAC Addresses
Topic 06

Ethernet Frames and MAC Addresses

Ethernet

Ethernet is the framing that turns a stream of bits on a wire into discrete, addressed units. It wraps a payload in a header carrying a destination and source MAC address, an EtherType that names what is inside, and a trailing checksum that lets the receiver throw away anything that arrived corrupted. On every wired LAN you will ever touch, this is the structure a packet rides inside for each hop of its journey.

A MAC address is 48 bits — six bytes, written as aa:bb:cc:11:22:33 — and it is meaningful only on the local segment. It is not routable, it never travels end to end the way an IP address does, and the layer-2 header gets stripped and rebuilt at every router. The whole point of Ethernet is to get a frame from one port to the next port on the same wire; everything above it is somebody else's problem.

The Ethernet Frame Layout

A frame on the wire starts with a 7-byte preamble and a 1-byte start-of-frame delimiter that let the receiver's clock lock onto the bit stream — these are not part of the frame the software sees. Then comes the structure that matters: a 6-byte destination MAC, a 6-byte source MAC, a 2-byte EtherType, the payload, and a 4-byte frame check sequence. The header before the payload is 14 bytes total, which is the overhead you subtract from any link when computing how much real data fits.

The payload ranges from 46 to 1500 bytes on standard Ethernet. The 1500-byte ceiling is the MTU covered in Topic 10; the 46-byte floor exists because a frame must be at least 64 bytes on the wire for collision detection to work on legacy half-duplex segments, so short payloads get padded. Destination first, then source, is the order on the wire — a switch reads the destination it needs before it has finished receiving the rest of the frame.

# the MAC of an interface and the frame fields tcpdump decodes
ip link show eth0
# link/ether dd:ee:ff:44:55:66 brd ff:ff:ff:ff:ff:ff
tcpdump -e -n -i eth0
# dd:ee:ff:44:55:66 > aa:bb:cc:11:22:33, ethertype IPv4 (0x0800), length 98
The Ethernet frame, field by field, in wire order
Preamble + SFD
8 B
Dst MAC
6 B
Src MAC
6 B
EtherType
2 B
Payload
46–1500 B
FCS
4 B

MAC Address Structure

The first 24 bits of a MAC are the Organizationally Unique Identifier (OUI), assigned by the IEEE to a vendor; the last 24 bits are assigned by that vendor to the device. That split is what makes a factory-burned MAC globally unique — Apple, Intel, and Cisco each own OUI ranges, and tools that show vendor names are just looking the OUI up in a table. The address burned into the NIC is the default, not a law.

Two bits in the first byte carry meaning beyond identity. The least-significant bit of the first byte is the I/G bit: 0 means unicast, 1 means the frame is multicast or broadcast. The next bit is the U/L bit, which flips to 1 when an address is locally administered rather than vendor-burned. The all-ones address ff:ff:ff:ff:ff:ff is the broadcast address — every host on the segment must receive and process it.

The Frame Check Sequence

The 4-byte frame check sequence is a CRC-32 computed over the header and payload. The sender computes it and appends it; every receiver recomputes it and compares. If the values disagree, the frame is corrupt and gets silently dropped — there is no negative acknowledgment, no request to resend, nothing sent back to the source. Ethernet detects corruption and discards; it never repairs.

That distinction is the whole design philosophy of the link layer. Error correction would mean carrying redundant bits to reconstruct the original, which costs bandwidth on every frame to fix the rare bad one. Ethernet instead pushes recovery up the stack: a dropped frame becomes a missing TCP segment, and TCP retransmits it. The link layer's job is to make sure you never accept garbage, not to make sure nothing is ever lost.

EtherType and What the Frame Carries

The 2-byte EtherType field tells the receiver how to interpret the payload, so the right protocol handler gets it. 0x0800 is IPv4, 0x86DD is IPv6, 0x0806 is ARP, and 0x8100 signals an 802.1Q VLAN tag follows. Without this field the receiver would have a blob of bytes and no idea whether to hand it to the IP stack, the ARP handler, or somewhere else.

Values of 1500 or below in that field instead mean the older 802.3 length encoding rather than a type, a historical wrinkle that almost no current traffic uses. In practice you read the EtherType to answer one question fast in a capture: is this an IP packet, an ARP exchange, or a tagged VLAN frame? It is the demultiplexing key for the entire layer above.

Unicast vs Broadcast vs Multicast MAC

Unicast targets exactly one interface — the I/G bit is 0 and the destination is a specific burned-in or assigned MAC. A switch that has learned where that MAC lives forwards the frame out one port only, which is the normal, efficient case for almost all traffic.

Broadcast uses the all-ones address ff:ff:ff:ff:ff:ff and reaches every host in the broadcast domain — ARP requests and DHCP discovers ride it. Every NIC must lift it to the CPU, so heavy broadcast traffic taxes every machine on the segment, not just the intended one.

Multicast sets the I/G bit but targets a group address, so only hosts that joined the group process it while others drop it in hardware. Choose it for one-to-many streams (video, routing protocols) where broadcast would needlessly wake every host and unicast would mean N copies.

Common Mistakes
  • Treating a MAC address as immutable identity. It is the default burned in at the factory, but ip link set eth0 address changes it in software in one command — relying on MAC for access control or licensing is trivially defeated by spoofing.
  • Expecting the FCS to fix a corrupted frame. The frame check sequence only detects corruption and drops the frame; there is no retransmit at layer 2, so a flaky cable shows up as silent loss and rising TCP retransmits, not as repaired data.
  • Forgetting that broadcast traffic hits every host's CPU. A frame to ff:ff:ff:ff:ff:ff is lifted off the wire by every NIC in the domain, so a chatty broadcast protocol on a large flat segment burns cycles on machines that have nothing to do with it.
  • Reading the destination MAC as the original sender on an inbound frame. The source MAC on a frame arriving from off-segment is your last-hop router, not the remote client, because the layer-2 header was rewritten at the last hop.
  • Ignoring the EtherType when a capture looks wrong. Filtering for IP and missing an ARP storm or a stray VLAN tag wastes time — the EtherType is the field that tells you whether you are even looking at the protocol you think you are.
Best Practices
  • Read the I/G bit (the low bit of the first MAC byte) to classify a destination at a glance: even first octet means unicast, odd means multicast or broadcast. It tells you instantly whether a frame is meant for one host or many.
  • Size upper-layer payloads against the MTU, not the wire frame: the 1500-byte MTU is already the IP payload, so a TCP MSS is 1500 − 20 (IP) − 20 (TCP) = 1460 — the 14-byte Ethernet header and 4-byte FCS sit outside the MTU, not inside it. A VLAN tag adds 4 bytes to the frame on the wire (1518 → 1522), so the path must accept the larger frame, but it does not shrink the IP MTU.
  • Look up the OUI of an unknown MAC to identify the vendor when tracing a rogue or unexpected device, since the first three bytes map to a manufacturer and narrow down what the device actually is.
  • Treat rising FCS error counters on a switch port as a physical-layer problem — a bad cable, connector, or optic — and replace the link, rather than chasing it in software where the dropped frames will never surface.
  • Keep broadcast domains small with VLANs or routed boundaries so broadcast and unknown-unicast flooding stay contained, instead of letting one flat layer-2 domain tax every host with traffic it does not need.
Comparable conceptsWi-Fi (802.11 frames)InfiniBand (alternative L2)

Knowledge Check

A switch port shows a climbing FCS error count. What is actually happening to those frames?

  • Each failing frame is silently dropped, because the FCS detects corruption but cannot repair it
  • The switch sends a request back to the original sender asking it to retransmit each corrupted frame over that same port
  • The FCS reconstructs the damaged bytes from its checksum and forwards the fixed frame
  • The frame is flooded out every port so some copy may arrive intact

Why does a frame addressed to ff:ff:ff:ff:ff:ff cost more than a unicast frame on a busy segment?

  • Every host in the broadcast domain must accept it and process it on the CPU, not just the intended one
  • The switch pads it out to a much larger size than an ordinary unicast frame, so it occupies far more of the link for longer
  • The switch waits for an acknowledgment from each host before it forwards the next frame
  • It carries a second checksum that each receiver must verify before accepting it

What does the EtherType field let a receiving host do?

  • Hand the payload to the correct protocol, such as IPv4, IPv6, or ARP
  • Identify precisely which network interface on the receiving host the frame is actually addressed to
  • Verify that the frame's payload arrived without corruption
  • Choose the next-hop MAC for forwarding the frame onward

You got correct