The main data structure utilized by Ethernet is the frame. The frame has a number of defined fields that specify elements like the MAC addresses for the destination and originating hosts in a packet transmission. The advantage in this ordering is that only the first 48 bits of a packet need to be read by a host to determine whether a packet received has reached its ultimate destination. If the destination MAC address does not match the local MAC address, the contents of the packet do not need to be read. However, the snoop command can be used to extract the content of packets that are not destined for the local MAC address, assuming that you are using a hub and not a switch. This is why it’s important to encrypt the contents of packets being transmitted across the Internet—because they can be trivially "sniffed" by using programs like snoop. In addition to the destination and originating MAC addresses, the frame also contains a data field of 46–1500 bytes and a cyclic redundancy check of 4 bytes. The data field contains all of the data encapsulated by higher-level protocols, such as the Internet Protocol (IP).
Exercise 33-1 Identifying Ethernet traffic Log in to your system as root. Use the snoop command to sniff network packets. Can you discern the data field within the Ethernet frame?