Why, if I am connected via Wi-Fi and send a packet to another device in the same Wi-Fi, the dest MAC address in the link layer is not the AP's?

In the IEEE 802.11 protocol, in the link frame, the second address is the sender MAC address, and the first address is the receiver MAC address, which is the AP address if the sender is a station, and the destination station if the sender is the AP.

So in my case, since I am sniffing the packets with Wireshark from my perspective, if I send ICMP for example, I should see my MAC address as the second address, and the AP MAC address as the first address.

But:

Enter image description here

The source address is my machine. The destination address is my phone, which is the device I was giving the ICMP packets to. The same thing in reverse in the response packet.

Also the link layer shows as "Ethernet", but I am connected via Wi-Fi, so it should appear IEEE 802.11, but I have seen here that Wi-Fi interfaces often present themselves as Ethernet interfaces, so they present Ethernet translated packets, to make it easy for the OS to manage them, or something like that...


Solution 1:

You're seeing an emulated Ethernet header that's provided by the OS (or by the Wi-Fi adapter's firmware; I am not quite sure which).

The real 802.11 header is deliberately hidden from you, and the link type always says "Ethernet" – it's not the OS trying to make management simpler; it's because the specification says so. Per the 802.11 specification, Wi-Fi interfaces are supposed to present an 802.3-compatible link layer to the upper layers, to allow it to be directly bridged to an actual Ethernet, even though they use something more complex under the hood. (I think it's not too different from using a "media converter" for other "Ethernet over XYZ" technologies like HomePlug or ADSL.)

To see the real 802.11 header that's being sent/received, you'll have to enable "monitor mode" for Wireshark. In it there would be three MAC addresses – sender, receiver, and AP.

(The station is assumed to be either the sender or the receiver. However, there exists a "4-address" mode for wireless bridging aka WDS, where you have source, destination, AP, and station MAC addresses all in the same frame.)

In the IEEE 802.11 protocol, in the link frame, the second address is the sender MAC address, and the first address is the receiver MAC address, which is the AP address if the sender is a station, and the destination station if the sender is the AP.

No, not quite like that.

Wi-Fi access points are bridges, and like wired switches they're meant to be invisible at the link layer. If the sender is a station, the destination is not the AP – it's the actual destination host's MAC address, because how else would the bridge know where to deliver the packet? It doesn't look at the IP header; that's what routers do.

(Unless, of course, the destination is a router that's the same device as the AP, in which case the destination MAC address will typically be very similar to the AP's BSSID, sometimes even the same, or only differing in a single bit. This may be the common case when accessing the Internet over a home gateway – but don't draw assumptions from it.)

The real 802.11 header does carry the AP's MAC address as well, but in a third field separately from the original sender and recipient. If you enable "monitor mode" to capture 802.11 frames, you'll see that frames from a station have two destination MAC addresses.

(Though don't get confused by Wireshark's dissector, which shows the same fields twice under two different names – some of them actually correspond to the same bytes.)