This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

MAC address and network interface

0

can Wireshark automatically extract the Network Interface Card vendor from the MAC address alone? and why?

asked 27 Feb '17, 11:09

ayaa's gravatar image

ayaa
6112
accept rate: 0%


One Answer:

2
  • Can Wireshark automatically extract the Network Interface Card vendor from the MAC address alone?

Yes, as long as the L/G-bit within the MAC address = 0. If the bit is 0, the address is universally administered and registered at the IEEE Registration Authority:

https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries

If the L/G-bit is is 1, the address is locally administered. Please see the link above for a full list of registered OUI's with the IEEE.

  • And why?

See above answer. Basically, a MAC address can be divided into 2 parts. The first half (the first 3 octets) are called the Organizationally Unique Identifier (OUI). The second half (last 3 octets) is the Network Interface Contoller (NIC) specific. So the OUI is registered with the IEEE and defines which organization/company "owns" that block of MAC addresses. The NIC portion is then assigned by that company. If an organization does not expect to use a complete block of an OUI (3 octets), then the OUI can be shared among different companies (MA-M and MA-S).

  1. MAC Address Block Large (MA-L) = entire OUI is utilized
  2. MAC Address Block Medium (MA-M) = OUI is shared, first nibble (4-bits) in NIC is unique between companies
  3. MAC Address Block Small (MA-S) = OUI is shared, first octet (8-bits) in NIC is unique between companies

By the way, Wireshark provides an OUI look-up tool:

https://www.wireshark.org/tools/oui-lookup.html

answered 27 Feb '17, 11:54

Amato_C's gravatar image

Amato_C
1.1k142032
accept rate: 14%