You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Wireshark : How to capture full Ethernet (link layer) header

I'm doing some research on network traffic analysis with Wireshark. Machine: Macbook Pro, Ventura 13.3.1(a). In Wireshark, I want to check the Ethernet (Data Link layer) headers. I have captured the trace (snapshot as below).


According to the OSI model, the Ethernet layer should have the following headers [Preamble, Dst MAC, Src MAC, Type, Data, FCS]. I am interested to check the FCS value. Unfortunately, I am unable to see this in Wireshark. It seems the NIC is dropping any bad FCS (not passing to Wireshark). Is there any way that I can force NIC to pass bad FCS to Wireshark for analysis?


Thank you,

Ayaz

MacBook Pro 13″, macOS 11.6

Posted on Jul 21, 2023 4:51 PM

Reply
1 reply
Sort By: 

Jul 21, 2023 5:10 PM in response to AyazMamud

I don’t know of a way to do that.


I would not expect a NIC to present a bad packet up to the host.


That processing is part of CSMA/CD, and happens in the NIC.


macOS does have a packet trace mode: Recording a Packet Trace | Apple Developer Documentation


When I have needed something similar, mirroring a switch port has worked well.


Maybe ask the folks that maintain the Wireshark app if they know of a way to do this? (Please let us know, too.)

Reply

Wireshark : How to capture full Ethernet (link layer) header

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.