I am using the boot_emac_flash project with my own application. I load boot_emac_flash at 0x0 and my application is loaded at 0x4000. A software command in my application calls a routine that duplicates the code in the boot_demo_emac_flash file and I have traced it down to where it calls the bootloader in function SoftwareUpdateBegin. What I am seeing in Wireshark is a constant UDP packet of 72 bytes that contains the MAC address. The bootloader is in the UpdateBOOTP main application loop.