Strange MAC address on Wireshark screen

I trying to see Wi-Fi (802.11) packets through Wireshark.

Here's information of my wireless interface:

$ ifconfig
wlan1    Link encap:Ethernet HWaddr c0:f8:da:21:ce:68
         # and so on blahblah

$ iwconfig
wlan1    IEEE 802.11abgn  ESSID:"myAccessPoint"
         Mode:Managed  Frequency:2.432 GHz  Access Point: 00:26:66:C4:80:FC
         #and so on blahblah

When I execute Wireshark and change mode of wlan1 to "monitor" in order to use "802.11 plus radiotap header", ifconfig and iwconfig show different things:

$ ifconfig
wlan1    Link encap:UNSPEC HWaddr C0-F8-DA-21-CE-68-00-00-00-00-00-00-00-00-00-00
         # and so on blahblah

$ iwconfig
wlan1    IEEE 802.11abgn  Mode:Monitor  Frequency:2.432 GHz  Tx-Power=16 dBm
         # and so on blahblah

(I.e., the hardware address has had ten 00 octets appended. And, oddly enough, it is now shown with capital letters instead of lower case.) I've injected several null data frames with aireplay-ng and captured them with Wireshark (EfmNetwo_... is an access point):

I am quite sure that e0:99:71:57:9b:3a is a MAC address of wireless interface on my machine since content of packets seem to be what I've injected.

The strange thing is, I've never seen such a MAC address in ifconfig and iwconfig. I think something like virtual interface is generated and that interface has such a MAC address.

Is what I said correct? If so, is there another way to see that MAC address from outside of Wireshark?

If what I said is wrong, could someone explain such a strange MAC address?

Jeon

Posted 2015-09-04T08:48:18.573

Reputation: 173

According to Vendor/Ethernet/Bluetooth MAC Address Lookup and Search the manufacturer for this MAC address c0:f8:da:21:ce:68 is "Hon Hai Precision Industry Co., Ltd., trading as Foxconn Technology Group". Foxconn make motherboards with integrated network adapters. Does that help?

– DavidPostill – 2015-09-04T09:51:08.300

Answers

And, oddly enough, it is now shown with capital letters instead of lower case.

That's completely irrelevant. People can choose, in their applications, to display hex digits with capital letters or with lower-case letters, as well as choosing to use a colon or a dash as a separator between octets; it's all a matter of the personal taste of the developer, or of the conventions established for the software. (Notice that two Linux commands, ifconfig and iwconfig, have different conventions - ifconfig uses lower-case letters for the interface MAC address, while iwconfig uses capital letters for the access point MAC address.)

When I execute Wireshark and change mode of wlan1 to "monitor" in order to use "802.11 plus radiotap header", ifconfig and iwconfig show different things:

I would consider that either a bug in the Linux kernel or in ifconfig. Either the kernel isn't reporting the MAC address as being a 6-octet IEEE-style MAC address merely because the interface is in monitor mode, which is completely silly, or it is reporting something that makes sense but that confuses ifconfig into thinking it's not an IEEE-style MAC address and is just treating it as a maximum-length hardware address of unknown type.

Note that the first 6 octets are the same as when you're not in monitor mode, and that 10 more octets gives a total of 16 octets, which is a power of 2 (a common choice for maximum field sizes), so ifconfig is probably somehow (whether due to a Linux kernel bug or an ifconfig bug) convinced that the address is 16 octets long and is printing 10 extra conveniently-zeroed-out padding octets.

So don't worry, be happy - in monitor mode, the adapter's MAC address is still c0:f8:da:21:ce:68 or C0-F8-DA-21-CE-68 or however various programs might choose to represent it.

user164970

Posted 2015-09-04T08:48:18.573

Reputation: