How are frames sent from router to guest in bridged mode?

[dstibrany]

Hi all,

I'm trying to better understand how networking works in bridged mode.

Specifically, I'm trying to understand how frames get from my router to the guest (and vice versa) at that layer 2 level.

Some basic system info:

Router:
IP: 192.168.1.1
MAC: 10:BF:48:E6:3A:4D

Host: Mac OSX 10.9.4
iface: en0 wireless
IP: 192.168.1.117
MAC: b8:f6:b1:1a:67:43

Guest: Ubuntu 12.04 64 bit
iface: eth0
IP: 192.168.1.115
MAC: 08:00:27:d3:87:e1

When I run tcpdump on my host, and curl google dot com from the guest, I notice the following headers
Layer 2 (src/dest): b8:f6:b1:1a:67:43 > 10:bf:48:e6:3a:4d,
Layer 3 (src/dest): 192.168.1.115.39061 > 74.125.226.129.80

However, when i run tcpdump on my guest, and curl google dot com from the guest, I get the following:
Layer 2: 08:00:27:d3:87:e1 > 10:bf:48:e6:3a:4d
Layer 3: 192.168.1.115.39061 > 74.125.226.129.80

I'm trying to understand why there is a discrepancy at the Layer 2 level, and to better understand what is truly happening at this level.

Intuitively, I would think that when I send packets from my guest to my router, at the Layer 2 level I would use the guest mac address as source and the router mac address as destination. Then when data comes back from google, my router would use the guest mac address as dest, and its own mac address as source (just like tcpdump
shows on the guest computer). However, I don't think this is what is happening because running arp -a on my router shows both guest and host IP pointing to the host mac address. So the router knows nothing about the guest MAC address.

Can anyone provide clarification as to what is truly happening at the layer 2 level and why tcpdump shows different layer 2 headers when run from guest and host?

[BillG]

The filtering happens at the NIC driver level. Specifically, the VirtualBox Bridged Network Driver works with the NIC driver to separate the traffic according to MAC address.

The router sends the traffic for both host and guests to the physical NIC. The filter driver and NIC driver forward it to the correct IP stack based on MAC addresses. The virtual NIC(s) "hijack" the physical NIC to get a connection to the physical network.

It gets more complicated with Wi-Fi.

[dstibrany]

Thanks for the reply.

So is it sort of like, the router forwards a frame to the host with the host's MAC address as destination,
then a new frame is created at the host with the guest's MAC address as destination?

[BillG]

More or less, depending on how you define the "host". It happens at the network layer, so the traffic going to the vm should never be seen by the host OS, only by the NIC driver and filter driver.

[dstibrany]

Thanks for the replies. This stuff is wild.

[BillG]

Networking is a very "interesting" subject. The Level2/Level3 model is fine and makes things easier to understand, but what actually happens in a real network can vary quite a lot, especially if you use equipment from a variety on manufacturers and software from different vendors.