MAC Address Lookup
Lookup vendor and manufacturer details from MAC address OUI prefixes for device identification, asset triage, and network audits.
What is MAC Address Lookup?
MAC address lookup identifies the manufacturer of a network device from the first six hexadecimal characters of its MAC address. Those six characters (24 bits) form the OUI — Organizationally Unique Identifier — which the IEEE assigns to hardware vendors. Every network interface card, Wi-Fi adapter, switch port, and Bluetooth device ships with a MAC address burned in at the factory, and the OUI prefix permanently identifies who made it.
MAC lookup is used in network inventory, security auditing, device fingerprinting, rogue device detection, and troubleshooting unknown entries in DHCP tables, ARP caches, and switch MAC address tables.
MAC Address Format
A standard MAC address is 48 bits written as six pairs of hexadecimal octets:
| Format | Example |
|---|---|
| Colon-separated (Unix/Linux) | 00:1A:2B:3C:4D:5E |
| Hyphen-separated (Windows) | 00-1A-2B-3C-4D-5E |
| Dot-separated (Cisco) | 001A.2B3C.4D5E |
| Undelimited | 001A2B3C4D5E |
The OUI is the first three octets: 00:1A:2B. Everything after is the device-specific NIC (Network Interface Controller) identifier assigned by the manufacturer.
OUI Vendor Reference (Common Prefixes)
| OUI Prefix | Vendor | Typical Devices |
|---|---|---|
| 00:50:56 | VMware | Virtual NICs |
| 00:0C:29 | VMware | VMware Workstation VMs |
| 52:54:00 | QEMU/KVM | Virtual machines |
| 00:1A:11 | Chromecast, Nest | |
| B8:27:EB | Raspberry Pi Foundation | Raspberry Pi 3 |
| DC:A6:32 | Raspberry Pi Trading | Raspberry Pi 4 |
| 00:17:F2 | Apple | MacBooks, iPhones |
| AC:BC:32 | Apple | Modern Apple devices |
| 00:50:43 | 3Com | Legacy switches |
| 00:0D:60 | Cisco | Network equipment |
| 00:1B:54 | Cisco | Catalyst switches |
| 00:26:B9 | Dell | PowerEdge servers |
| F0:DE:F1 | Intel | NIC adapters |
Locally Administered vs Universally Administered
The second-least-significant bit of the first octet determines whether a MAC is universally administered (manufacturer-assigned) or locally administered (manually set or randomised):
| Bit value | Type | Meaning |
|---|---|---|
| 0 | UAA (Universally Administered) | OUI lookup is valid — address is factory-burned |
| 1 | LAA (Locally Administered) | OUI lookup is meaningless — address is overridden |
MAC address randomisation — Modern mobile operating systems (iOS 14+, Android 10+, Windows 10 21H1+) randomise the MAC address for each Wi-Fi network by default. This makes OUI lookups unreliable for device identification on wireless networks unless the device reveals its real MAC.
The multicast bit is the least-significant bit of the first octet. FF:FF:FF:FF:FF:FF is the broadcast address.
CLI Commands
# Show MAC addresses on Linux
ip link show
# or
cat /sys/class/net/eth0/address
# Show ARP cache (IP-to-MAC mapping)
arp -n
# or
ip neigh show
# Show switch MAC address table (Cisco IOS)
show mac address-table
# Find a MAC in DHCP leases (Linux dhcpd)
grep "00:1a:2b:3c:4d:5e" /var/lib/dhcpd/dhcpd.leases
# Lookup OUI from command line
curl "https://api.macvendors.com/00:1A:2B:3C:4D:5E"
# nmap — discover MACs on local subnet
sudo nmap -sn 192.168.1.0/24 | grep -E "MAC|Nmap scan"
Common Use Cases
Rogue device detection — If an unknown MAC appears in your switch's address table or DHCP lease list, the OUI prefix identifies the hardware vendor. A consumer device OUI appearing in a server VLAN is an immediate red flag.
Network inventory — When building an asset register, MAC lookups automate vendor tagging without needing to physically inspect each device. Combine ARP sweeps with OUI lookups for bulk classification.
Virtual machine identification — VMware, QEMU, and Hyper-V each have registered OUI ranges. A MAC resolving to a VM vendor OUI on a physical-device VLAN indicates a virtualised workload connected incorrectly.
Wireless network troubleshooting — When a device connects but fails DHCP, the MAC in your wireless controller logs tells you what vendor made the adapter. This narrows firmware incompatibility searches significantly.
Security auditing — MAC-based NAC (Network Access Control) policies require accurate OUI data to build allow/deny rules. Verify OUIs before writing policies.
Limitations of MAC Lookup
MAC addresses operate at Layer 2 (the data link layer) and are not routed across networks. You can only see a device's MAC address if it is on the same local network segment. Routers replace the source MAC at each hop, so the MAC you see from a remote system is the last router's MAC, not the originating device.
MAC spoofing is trivial — any administrator can change their NIC's MAC in software. Do not rely on MAC addresses as a sole security control.
Frequently Asked Questions
Q: What are the first 6 characters of a MAC address called? A: The OUI — Organizationally Unique Identifier. The IEEE assigns OUI blocks to manufacturers. The first 24 bits (3 octets) identify the vendor; the last 24 bits identify the specific device.
Q: Why does my MAC address lookup return "locally administered"? A: Modern operating systems randomise MAC addresses for privacy. When MAC randomisation is active, the locally administered bit is set, making the OUI meaningless. You'll need to disable MAC randomisation in the device's network settings to see the real hardware OUI.
Q: Can I find a device's location from its MAC address? A: No. MAC addresses are Layer 2 identifiers local to a network segment. They are not routable and carry no geographic information. IP geolocation is used for location; MAC lookup only identifies the hardware manufacturer.
Q: Why does a VM show a VMware or QEMU OUI? A: Hypervisors assign synthetic MAC addresses from their own registered OUI ranges to virtual NICs. This is normal and expected for virtualised environments.
Q: Is MAC address lookup the same as IMEI lookup? A: No. IMEI (International Mobile Equipment Identity) identifies mobile handsets. MAC addresses identify network interfaces. They are completely separate standards for different hardware layers.
Related Tools
- IP Geolocation Lookup — map an IP address to its location and ISP
- Subnet Calculator — calculate subnets for the network the device is on
- Reverse DNS Lookup — resolve device IPs to hostnames
- Blacklist Check — check if a device's IP is on blocklists
Operational intent and scope
MAC Address Lookup is designed for practical troubleshooting where you need fast evidence, clear next actions, and shareable results. The tool focuses on mac address lookup workflows and gives operators enough signal to decide whether the issue is likely local, resolver-level, provider-level, or configuration-level.
In production, this matters because teams usually lose time in handoffs. One team runs a quick check, another team needs context, and the result is re-tested from scratch. This page avoids that loop by combining an executable widget, interpretation guidance, and route-level SEO content that stays visible to both users and crawlers.
Inputs, outputs, and decision quality
- Primary input: MAC
- Primary output: structured findings that map directly to remediation decisions
- Best use moment: migrations, incidents, change windows, verification after rollout
When reading output, do not treat a single result as absolute truth. Network controls, DNS cache variance, provider policy, and browser fetch constraints can all affect one-time checks. The reliable method is:
- Run MAC Address Lookup to establish first signal.
- Cross-check with one related tool.
- Confirm final state against authoritative provider logs or telemetry.
That model is intentionally reflected in this page structure so operational teams can move from signal to proof quickly.
Interpretation framework
Use this compact framework during triage:
- Expected output usually means the current configuration is aligned.
- Missing output often indicates invalid input, resolver delay, or absent record/state.
- Unexpected output frequently points to stale caches, aliasing conflicts, policy mismatch, or partial rollouts.
- Intermittent output is common during propagation windows or regional provider differences.
A good practice is to capture a timestamped snapshot of the output and re-check at a fixed interval. This creates an evidence trail and helps explain why symptoms changed over time.
Common failure patterns for MAC Address Lookup
- Input normalization issues: malformed domain/IP/URL values silently reduce result quality.
- Cross-environment drift: staging and production values diverge after rushed changes.
- Assumed global consistency: teams test from one region and assume all resolvers/providers match.
- Missing post-change validation: updates are made, but no verification pass is executed.
Preventive control is straightforward: standardize input, run a baseline before change, compare after change, and store both outputs in tickets or runbooks.
Workflow pairing and escalation path
MAC Address Lookup is strongest when paired with adjacent checks. Recommended next tools in this cluster: MAC Address Generator, Subnet Calculator, IP Geolocation Lookup, HTTP Lookup.
Escalate to deeper analysis when:
- The same input returns conflicting results across repeated runs.
- Results indicate policy or trust-chain issues that require provider-side logs.
- A security-sensitive check shows ambiguous outcomes.
- Incident scope crosses DNS, email, and transport boundaries simultaneously.
Quick remediation checklist
- Validate exact MAC value before running.
- Run the check and record output with timestamp.
- Compare against expected production baseline.
- Re-test after a controlled interval.
- Cross-check using related tools.
- Apply configuration changes only after confirming root cause.
FAQ highlights used by teams
- What does this tool check? — This tool provides a focused diagnostic signal with interpretation guidance.
- Why can results vary? — Resolver cache, provider policy, and regional path differences can change observed results.
- Can I share this check? — Yes. URL query state can be shared for reproducible team handoffs.
- Is this enough for production closure? — Use as first-pass diagnostics, then verify with authoritative provider logs.
Why this page is built this way
This page is intentionally implemented as a tool-plus-article format so it works for both execution and discoverability. The first fold keeps action visible, and the supporting sections provide structured guidance that remains indexable in prerendered HTML. That approach reduces repeat incidents, shortens handoff cycles, and improves long-tail search relevance without sacrificing technical clarity.
| Signal | Meaning | Action |
|---|---|---|
| Expected result | Configuration likely aligned | Document and monitor baseline |
| Unexpected result | Potential config drift | Cross-check related tools |
| No result | Input/resolver/policy issue | Validate input and retry |
| Intermittent response | Regional/cache variance | Re-run across time window |
| Error | Endpoint or network blocked | Verify source setup and access policy |