🔌

MAC Address

A MAC (Media Access Control) address is a unique 48-bit identifier assigned to each physical network interface. The first 24 bits (OUI) identify the manufacturer, the last 24 the specific device. It operates at layer 2 of the OSI model.

The MAC address is the hardware identifier of a network interface: your Ethernet card, your WiFi chip, your Bluetooth adapter. It's globally unique (in theory) and burned into the device's ROM at the factory.

It's 48 bits (6 bytes) represented in hexadecimal, typically separated by colons or hyphens: 00:1A:2B:3C:4D:5E or 00-1A-2B-3C-4D-5E. Some systems use dots every 4 digits: 001A.2B3C.4D5E (Cisco style).

It operates at layer 2 of the OSI model (data link). While IPv4/IPv6 work at the network level (layer 3) and route between networks, MAC addresses only work within the same local network (LAN). When your PC sends a packet to the router, it uses the router's IP but the router's MAC to deliver it physically.

The ARP (Address Resolution Protocol) translates IPs to MACs: your PC broadcasts "who has 192.168.1.1?" and the router responds "I do, my MAC is XX:XX:XX:XX:XX:XX". Your PC caches that and sends the Ethernet frame with that destination MAC.

The 48 bits are divided into two parts:

OUI (Organizationally Unique Identifier): the first 24 bits (3 bytes). Identifies the manufacturer. IEEE assigns these blocks to companies that manufacture network hardware. Example: 00:1A:2B might belong to Cisco, 3C:22:FB to Apple.

You can look up the manufacturer of any MAC in databases like maclookup.app. Useful for identifying unknown devices on your network: that MAC starting with B8:27:EB is a Raspberry Pi.

NIC (Network Interface Controller): the last 24 bits (3 bytes). It's the unique identifier within the manufacturer's block. The manufacturer assigns these numbers sequentially as they produce devices.

Complete example: 3C:22:FB:1A:2B:3C. The first 3 bytes (3C:22:FB) are Apple's OUI, the last 3 (1A:2B:3C) identify this specific iPhone among millions of Apple devices.

Within the OUI, the least significant bit of the first byte indicates unicast vs multicast: if 0, it's unicast (single recipient), if 1, it's multicast. The second bit indicates global vs local: 0 = globally unique (assigned by IEEE), 1 = locally administered (can be customized).

OSI layer: MAC works at layer 2 (link), IP at layer 3 (network). MAC delivers frames within a segment, IP routes packets between networks.

Scope: MAC only matters on the local LAN. When a packet crosses a router to another network, the MAC changes (rewritten with the next hop's MAC), but the source/destination IP remains the same throughout the journey.

Assignment: MAC is fixed (burned into hardware, though software-changeable), IP is dynamic (assigned by DHCP or configured manually).

Readability: IP is designed to be read and memorized by humans (8.8.8.8), MAC is not (except for techs who see them all day).

Postal analogy: IP is your complete address (street, city, country), MAC is the person's name at that address. Mail uses the address to reach the city, but needs the name to deliver to the right person inside the building.

MAC spoofing is changing your MAC address via software. It's trivial on any OS: ifconfig eth0 hw ether XX:XX:XX:XX:XX:XX on Linux, GUI apps on Windows/Mac.

Legitimate uses:

  • Privacy: avoid MAC tracking on public WiFis (Android 10+ randomizes MACs automatically on new networks).
  • Testing: simulate multiple devices from one machine.
  • Repair: replace a broken network card, copy the old MAC so the ISP doesn't require reauthorization.

Malicious uses:

  • Bypass MAC filters on routers (weak security mechanism anyway).
  • Man-in-the-middle attacks: spoof the gateway's MAC to intercept traffic.
  • Evade licensing or access control systems based on MAC.

MAC filtering as security: your router allows "only connect these MACs". Useless: anyone with WiFi access can see authorized MACs (they're broadcast) and spoof themselves. Better: WPA3, strong passwords, VLANs for segmentation.

802.1X (EAP) is real network-level authentication: the device must present credentials (certificate or user/password) before the switch/AP assigns an IP. Common in enterprises, ignores MAC.

Examples

  • 00:1A:2B:3C:4D:5E — standard format with colons
  • 3C-22-FB-1A-2B-3C — format with hyphens (Windows)
  • 001A.2B3C.4D5E — Cisco format (dots every 4 hex)
  • B8:27:EB:XX:XX:XX — Raspberry Pi Foundation OUI
  • FF:FF:FF:FF:FF:FF — broadcast address (all devices on LAN)

FAQ

Can two devices have the same MAC?

In theory no: manufacturers must assign unique MACs. In practice: collisions happen due to manufacturing errors, cheap cloning, or spoofing. On the same LAN causes chaos (ARP conflict). On different LANs, no problem.

Is MAC filtering secure for my WiFi?

No. It's trivial to spoof a MAC. Anyone capturing WiFi traffic sees authorized MACs. Only gives false sense of security. Use WPA3, strong password, and if you need segregation, VLANs + 802.1X.

Why does my phone show different MACs on different WiFi networks?

Android 10+, iOS 14+ use MAC randomization for privacy. Each WiFi network sees a different MAC (but consistent for that network). Prevents tracking between locations. You can disable it per network in advanced settings.