Layer 2, Network Frames, Wireshark

Posted: September 25, 2010 in Infrastructure Management and Disaster Recovery
Here’s a poser for my infrastructure-y friends: how do you find the MAC address of a remote server using Wireshark?

I know the following to be true because I have access to these machines directly:
00:0c:29:dc:f9:d1     00:0c:85:27:44:40       00:0c:29:8a:60:29

If I ping the Server from the client and then interrogate the packets in Wireshark I see the folowing:
Ethernet II (Layer 2): Destination: 00:0c:85:27:44:40
IP: Destination:

So I pinged the Server but the Layer 2 destination is Router.

Why? Is this because access to the Server is only through the Router, therefore that is the destination? Is it because the Server is on a different subnet to the Client? I’m a bit lost.

[UPDATE] A response from a friend of mine clears the whole thing up!

Answer… as te blog won’t let me post a reply of this length.

Q. "how do you find the MAC address of a remote server"
A. You cannot, directly.
Q. "Why? Is this because……?"
A. Yes.

To explain: IP sits at Layer 3 and is based on logical addressing (the IP address), as such this is abstracted from Layer 2 which is based on physical addressing (the MAC address).

You will see in in a packet trace if you ping for anything not in your ARP table, the first packet seen is the local machine sending an ARP request. If the destination machine is on the same IP subnet, it will reply with it’s MAC address so physical communication can happen at Layer 2.

If the machine isn’t on the local subnet, your machine will ARP for the default router IP address. Your machine will then physically send packets to that router, if you look in the trace the IP destination is the actual destination – the Layer 2 & 3 no longer directly correspond.

It’s a bit like you posting a letter, if it’s in your street then you just walk down and post it yourself, you know the physical (MAC) address of the destination. Anything else, you don’t care about the physical location (MAC address) as you address the envelope (IP address) and put it in the postbox (the router for which you have the physical location for), you don’t physically care where the destination is so don’t need to know the MAC address.

I presume they have discussed the OSI 7 layer Model? if not, then will sort you out.
Does that help?


  1. Jeremy says:

    HHmmm, typed a reply but got "Sorry, the comment you entered is too long. Please shorten it." Editing it down, but what is the limit?

  2. Jeremy says:

    Have sent you an e-mail to your Anglia e-mail, as I cannot get a reply to fit into a comment!

  3. Steve says:

    Yes, Live Spaces comments 100% suck. Very 1998.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s