The Ethernet section offers settings that allow the sanitization of the Ethernet layer, which basically means MAC addresses. An important detail is the fact that when you chose to replace MAC addresses in this section it will also affect any other layer that contains that kind of address information. For example ARP frames contain MAC addresses simply because it works as a link layer resolution protocol. As you can see there is no ARP section in the section tree, but that doesn't mean that ARP frames will not be sanitized - they will just be sanitized according to the MAC address settings you specify for the Ethernet layer.



Replace MAC addresses by list: When a MAC address is found in a frame, either as part of the Ethernet layer, or in an ARP frame, it will be compared to the "Original MAC" address in the list and replaced by the specified "Replacement MAC" if it was found. If you have a list of MAC addresses in a comma separated file you can import them by using the popup menu of the list. You can also export a list if you want to keep it for another task to avoid having to enter it all over again manually. When you add addresses the input dialog will expect the addresses in the format of "xx:xx:xx:xx:xx:xx" and only enable the "Add" buttons when the format is valid.


Randomize MAC address octets: When this setting is active and a MAC that had been found in a frame was not already processed by the MAC address list (either because it wasn't in it, or the setting wasn't enabled), it will be randomized. You can optionally keep the first three octets of the address, which are the vendor specific values that allows looking up who the MAC address range was assigned to. If you do not choose to keep the vendor informaton, the randomization process will always set the first octet to 0xf2, for three reasons: first of all, the "locally administered bit" is set to indicate that this MAC address is not coming from the official IEEE list. Second, there is no entry with that first byte in the Wireshark manuf file so it should not be mistaken for something that its not. And third, it will make it easier to see that it has been sanitized.


Recalculate CRC: Ethernet frames may or may not come with a Frame Check Sequence (FCS) in the trace file. Most analyzers do not or can not store the FCS, but if you have a capture which includes the FCS you can recalculate it after sanitization.