At the data link layer, Ethernet specifies what the data should look like, including the header and trailer. The protocol is defined by IEEE 802.3 and actually divides the data link layer into two sublayers: the Logical Link Control (LLC) sublayer and the Media Access Control (MAC) sublayer.
802.3 specifies a sublayer within Ethernet called the Ethernet Media Access Control sublayer. This acts as an interface between the physical layer and the higher-level services of a network interface.
Technically 802.3 defines both a Media Access Control (MAC) frame and a MAC packet.
An Ethernet MAC frame includes a destination address, source address, length/type, payload plus padding and finally a frame check sequence (FCS).
An Ethernet MAC Packet encapsulates the MAC frame, adding a preamble and a 'start of frame' delimiter.
Most texts (and engineers) will use ‘frame’ or ‘Ethernet frame’ to refer to the complete ‘Ethernet Packet’ from the preamble to the FCS. When people refer to a packet, they will almost always be referring to an IP packet at the internet layer.
The most common form of an Ethernet PDU is summarised below.
Length: 7 bytes (56 bits)
The Ethernet Preamble is a series of alternating ‘1s’ and ‘0s’ which enables a receiver to synchronise with the transmitter.
Length: 1 byte (8 bits)
The start of frame delimiter indicates to the receiver the end of the preamble and therefore the beginning of the other Ethernet header content.
The MAC address of the intended recipient, or recipients of the frame.
The MAC address of the sender.
This field is typically used to indicate the length of the client data / payload being encapsulated. For a basic Ethernet frame, the maximum length of the client data is 1500 bytes and the minimum is 46 bytes.
Data from a higher layer which is being encapsulated. This is most often an IPv4 or IPv6 packet. To fit in a typical frame, the maximum length of the packet is 1500 bytes. Therefore, we say that the layer 3 Maximum Transmission Unit (MTU) is 1500 bytes for Ethernet.
Because the minimum length of a payload is 46 bytes, if the payload is less than that then padding is added.
The Ethernet FCS is a cyclic redundancy check which allows the recipient to check whether the data has been corrupted.
Ethernet frames include a source and a destination Media Access Control (MAC) address. Generally, each interface on a network will have a MAC address – whether it’s a port on a switch, a network interface card (NIC) in a computer or a WiFi chip in a phone. There are also special addresses for sending frames to multiple recipients.
All MAC addresses are 48 bits (6 bytes) long and are typically represented using hexadecimal (hex) notation. If the first bit of the destination address is 0, the address is a unicast address which means that it is intended for a single recipient. If the first bit is 1 then the address indicates a group address.
Messages being sent to a single device use a unicast or individual address. It is important that each device on a network has a unique Ethernet address so that frames get sent to the correct device. To ensure this, all ethernet hardware is assigned a globally unique MAC address for each interface by the manufacturer.
Consequently, MAC addresses are also called burned in addresses (BIA).
Some operating systems, or software make it possibly to alter the MAC address of a given interface. This can be done for privacy reasons, network requirements (for example, networking with virtual machines) or for more nefarious purposes.
Unicast addresses are formed of two equal parts: an Organizationally Unique Identifier for the manufacturer and an interface specific identifier.
Length: 24 bits (3 bytes)
Every vendor of Ethernet equipment should have their own unique OUI which has been assigned by the IEEE.
Length: 24 bits (3 bytes)
The vendor is responsible for assigning the last 24 bits which should an identifier unique to that manufacture so that now two devices have the same address.
Other MAC addresses may be associated with none or more devices on a network.
Multicast addresses may be used to send messages to a specific group of devices on a network. The details of operation must be configured at a higher layer. For example, the Cisco Discovery Protocol (CDP) uses multicast addresses.
The broadcast address is used to send a frame to all devices on the local area network. The broadcast address has all bits set to ‘1’ which is FF:FF:FF:FF:FF:FF in hex.