linuxlab.io
Tutorials▾
  • Linux & networking
    File system, processes, TCP/IP, BGP and OSPF
    →
  • Terraform & IaC
    HCL, state, plan/apply on a LocalStack sandbox
    →
  • Git & GitHub
    Object model, plumbing, branching, GitHub Actions
    →
All tutorials →
PricingAboutSign inCreate account
/
  • Introduction
  • Lessons
  • How it works
  • Simulator
  • Knowledge base
  • Interview prep
Index
Categories
All entries
Footer
linuxlab-TutorialsPricingAboutPrivacy & cookies
Copyright © 2026 LinuxLab. All rights reserved.
home/linux/kb/Networking: L2 / L3/ethernet-frame

kb/network-l2-l3 ── Networking: L2 / L3 ── intermediate

Ethernet Frame

An Ethernet frame is the L2 transmission unit: dst-MAC, src-MAC, EtherType, payload (usually an IP packet), FCS checksum. Standard MTU is 1500 bytes.

view as markdownaka: ethernet, ethernet-header, frame

Frame structure

[ Preamble ] [ Dst MAC ] [ Src MAC ] [ EtherType ] [    Payload    ] [ FCS ]
     7+1         6           6            2          46 - 1500          4
  • Preamble + SFD (8 bytes): physical-layer synchronization; rarely visible in tcpdump output because the NIC strips it before passing the frame up
  • Dst MAC / Src MAC: see mac-address
  • EtherType: identifies the payload protocol:
    • 0x0800 - IPv4
    • 0x0806 - arp
    • 0x86DD - IPv6
    • 0x8100 - 802.1Q VLAN tag
  • Payload: the actual content (an IP packet in most cases)
  • FCS: Frame Check Sequence (CRC32) for integrity verification; the NIC checks it automatically, and tcpdump normally does not show it

MTU and fragmentation

MTU (Maximum Transmission Unit) is the maximum payload size of a frame. Standard Ethernet is 1500 bytes. That space breaks down as:

  • 20 bytes IPv4 header
  • 20 bytes TCP header (no options)
  • 1460 bytes available for TCP payload, which is the MSS (Maximum Segment Size)

If an IP packet exceeds the MTU and the DF (Don't Fragment) bit is not set, the router splits it into fragments. In IPv6, fragmentation happens only at the source (ICMP "Packet Too Big" tells the sender to reduce its packet size).

Lower MTU values appear in VPN tunnels (IPsec/WireGuard ~1420), PPPoE (~1492). Jumbo frames go up to 9000 bytes, used inside data centers to reduce header overhead.

Knowing your MTU matters for performance. Packets larger than the MTU are dropped without any explicit error at the application level, especially through VPNs.

VLAN tagging

When a frame travels over a trunk link carrying multiple VLANs, a 4-byte 802.1Q tag is inserted between Src MAC and EtherType. The tag carries the VLAN ID and priority bits. EtherType becomes 0x8100, and the original EtherType (0x0800 for IP) follows after the tag.

You can see this as eth0.100 (VLAN 100 on eth0), or explicitly with tcpdump -e:

vlan 100, p 0, ethertype IPv4 (0x0800), 10.0.0.1 > 10.0.0.2: ...

Where to look

In the arp table you find IP-to-MAC pairs. In [[#cmd-tcpdump|tcpdump]] output with the -e flag you see frame headers. In /sys/class/net/<iface>/mtu you read the current MTU.

§ команды

bash
ip link show eth0 | awk '/mtu/ {print}'

Show the MTU of the interface

bash
sudo ip link set eth0 mtu 9000

Set the MTU to 9000 (jumbo frames inside a data center); requires switch support and matching MTU on both ends

bash
sudo tcpdump -nei eth0 -c 5

The -e flag makes tcpdump print source and destination MAC addresses for each frame

bash
ping -M do -s 1500 8.8.8.8

-M do sets Don't Fragment; -s 1500 sends a 1500-byte payload. If the path MTU is smaller you will see an ICMP 'frag needed' reply

bash
tracepath 8.8.8.8

Discover the Path MTU, the smallest MTU along the route to the destination

§ см. также

  • mac-addressMAC AddressMAC address is a 48-bit hardware identifier for a network interface, written as `aa:bb:cc:dd:ee:ff`. It is unique within an L2 segment and is used in [[ethernet-frame]] for L2 addressing.
  • arpARP: Address Resolution ProtocolARP answers the question "who has MAC = ?" for a given IP inside one network. Linux keeps the result in the neighbor table (`ip neigh`).
  • vlan-and-trunkVLAN: 802.1Q Virtual LAN and Trunk PortsVLAN logically splits one physical switch into multiple L2 segments. The 802.1Q tag adds 4 bytes to an Ethernet frame with a VLAN ID (12 bits, up to 4094 VLANs). Trunk = multiple VLANs on a port, access = one.
  • linux-bridgeLinux Bridge: Software SwitchA bridge is a software L2 switch in the Linux kernel. It learns MACs in the FDB and forwards frames between interfaces. It underpins the Docker default network, KVM bridge, and libvirt. With vlan_filtering it emulates a managed switch.
Footer
linuxlab-
Copyright © 2026 LinuxLab. All rights reserved.
Tutorials
Pricing
About
Privacy & cookies