Donate

MAC Address Lookup

Validate a MAC address and decode OUI and address-type flags
MAC Address Lookup

Validate a MAC address, normalize its format, and decode key details like OUI prefix and unicast/multicast bits.

How MAC address lookup works

A MAC address contains 48 bits (12 hex characters). The first 24 bits are the OUI prefix, and the last 24 bits identify the device interface.

This tool validates common formats, normalizes to standard forms, and decodes key flags that indicate unicast/multicast and local vs universal administration.

When MAC address lookup is useful

MAC address analysis is most valuable during local network diagnostics, device inventory audits, and hardware verification. Unlike IP addresses, which change with routing and NAT, a MAC address is typically tied to a specific physical or virtual network interface. That makes it useful for identifying which vendor manufactured a network adapter, confirming whether an address is locally administered (common with VMs and containers), and checking if the address targets a single device (unicast) or a group (multicast).

IT and network administrators commonly use OUI lookups to verify that devices on a LAN match expected hardware vendors. For example, if a network scan returns an unfamiliar MAC prefix, an OUI check can reveal whether it belongs to a known manufacturer or appears to be randomized, which modern mobile devices often do for privacy. Security teams may use MAC analysis when investigating rogue access points or unauthorized devices on managed networks.

MAC addresses operate at Layer 2 (data link layer) and are not visible beyond the local network segment. They are not routed across the internet the way IP addresses are. This means MAC lookup is a complementary diagnostic, not a replacement for IP-based investigation. For traffic attribution beyond the LAN, continue with ASN Lookup to identify the announcing network, Reverse DNS to check PTR records, or WHOIS / RDAP for registration details.

Real OUI examples and what they reveal

Recognizing common OUI prefixes makes a network scan readable at a glance. Apple owns large blocks including 00:1F:5B, 3C:07:54, and the newer F0:18:98 range - if a MAC sits in any Apple OUI, the interface is almost certainly an iPhone, iPad, Mac, or Apple TV. Samsung Electronics holds 00:23:39, 5C:0A:5B, and dozens of others; Samsung is the most-fragmented vendor in the OUI registry because each factory and product line has historically requested its own prefix.

Networking gear has its own tells. Cisco's classic 00:0C:CE and 00:1B:67 prefixes indicate enterprise switches and routers. Ubiquiti's 24:5A:4C and F0:9F:C2 point at UniFi access points. Dell's 00:14:22 covers server NICs from the PowerEdge era - useful for inventory audits when you need to separate workstations from server hardware on a flat LAN. TP-Link's 50:C7:BF prefix is the signature for consumer routers and powerline adapters in residential environments.

Virtual machine OUIs are deliberately reserved and easy to spot. VMware uses 00:50:56, 00:0C:29, and 00:1C:14. VirtualBox has its own range starting 08:00:27. Microsoft Hyper-V uses 00:15:5D. Containers managed by Docker default to 02:42: which is locally administered - that bit pattern alone tells you the address was generated programmatically rather than burned into hardware. Recognizing these helps separate physical devices from virtualization noise during a security review or inventory pass.

MAC address pitfalls during real investigations

MAC address randomization is the single biggest cause of "vendor unknown" results today. iOS 14+ randomizes the MAC per SSID by default. Android 10+ does the same. Windows 10 and later randomize on supported adapters when "use random hardware addresses" is enabled. The bit that flags this is the second-least-significant bit of the first octet - if it is set, the address is locally administered (random) and will not match a registered OUI. Treat randomized MACs as expected for client devices on modern networks rather than as evidence of tampering.

MAC spoofing is operationally cheap and means MAC-based access control should never be your only security layer. Any user with admin rights on a laptop can change the MAC in seconds and impersonate a different device. Use MAC addresses for inventory and diagnostics, but pair them with 802.1X, certificate-based authentication, or VLAN segmentation for actual access control. A MAC ACL alone is a courtesy lock - useful for keeping casual neighbors off guest Wi-Fi, not for enforcing security policy.

MAC addresses also do not survive routing. Once a packet crosses a router, the source MAC is replaced by the router interface MAC for the next hop. That means a remote attacker you investigate via firewall logs will only show the MAC of your immediate upstream gateway, never the original attacker's hardware. For anything beyond the LAN, you need to pivot to IP, ASN, and reverse DNS context. MAC investigation is strictly a local-segment activity.

Finally, the OUI registry lags real manufacturing. New prefixes are assigned by the IEEE on an ongoing basis, and the public databases that lookup tools rely on get updated irregularly. A genuinely new device can return "unknown vendor" simply because the database has not refreshed yet, not because the address is invalid or randomized. Always check the date stamp on whatever OUI database you are consulting before treating "unknown" as a red flag.

What MAC lookup does not show

  • It does not reveal a person, exact location, or account identity.
  • It does not replace IP/ASN/WHOIS ownership checks.
  • Vendor-level OUI attribution can change and should be validated for compliance workflows.
  • Randomized MAC addresses (used by iOS, Android, and Windows for privacy) will not match a real hardware vendor OUI.
  • Virtual machines and containers often use locally administered addresses that do not trace back to a physical manufacturer.

For network-path diagnostics, continue with ASN Lookup, Reverse DNS, and WHOIS / RDAP Lookup.

Frequently asked questions

What is a MAC address?
A MAC address is a hardware interface identifier, usually shown as 12 hex characters (for example 00:1A:2B:3C:4D:5E).
What is OUI in a MAC address?
OUI is the first 24 bits (first 6 hex characters) of a MAC address, used to identify the registered organizational prefix.
What is the difference between unicast and multicast MAC?
The least significant bit of the first octet indicates individual (unicast) or group (multicast) addressing.
Can MAC lookup find my exact device location?
No. MAC lookup is a format and protocol-level analysis tool. It does not provide physical geolocation.
Can MAC lookup identify the exact device owner?
No. A MAC lookup can identify a registered vendor prefix or address type, but it cannot identify the person, account, or exact device owner behind a network interface.
Why does my phone show an unknown or changing vendor?
Modern phones and laptops often use randomized private MAC addresses on Wi-Fi networks. Randomized addresses may not match a public vendor prefix and can change between networks.