Frames are the units of communication in the data link layer. The packets from the network layer are sent to the link layer, where it gets encapsulated into frames. If the size of the frame is too large, then the frames are further divided and then send to the receiver. At the receiver’s end, the hardware picks up the signal and constructs them into frames.
The frame formed from the packets has a Frame Header that contains the source and the destination addresses of the frame and the control bytes.
In Wireshark, the link layer is only interested in getting a frame to the next adjacent node on the physical medium. The main thing is the Organizational Unique Identifier (OUI), which is the first three bytes of any Ethernet address.
There is not necessarily a need to modify the link-layer header type in Wireshark. But in some cases, it can be modified. The exceptions are as follows:
- If the device is connected to Ethernet(802.3) we might get an offer to choose either Ethernet or DOCSIS. If the device is using a Cisco Cable Modem Termination System that is putting DOCSIS traffic onto the Ethernet, decide “DOCSIS”, otherwise decide “Ethernet”.
- If the device is connected to an 802.11, we might get an offer to decide between Ethernet or 802.11. Ethernet will generate captured packets that have fake Ethernet headers. The packets having fake Ethernet headers will be generated by Ethernet and IEEE(802.11) headers will be generated by 802.11. If the application wants to read the packets but doesn’t support the 802.11 headers, then decide on Ethernet.