MAC address and network interface

• Can Wireshark automatically extract the Network Interface Card vendor from the MAC address alone?

Yes, as long as the L/G-bit within the MAC address = 0. If the bit is 0, the address is universally administered and registered at the IEEE Registration Authority:

https://regauth.standards.ieee.org/standards-ra-web/pub/view.html#registries

If the L/G-bit is is 1, the address is locally administered. Please see the link above for a full list of registered OUI's with the IEEE.

• And why?

See above answer. Basically, a MAC address can be divided into 2 parts. The first half (the first 3 octets) are called the Organizationally Unique Identifier (OUI). The second half (last 3 octets) is the Network Interface Contoller (NIC) specific. So the OUI is registered with the IEEE and defines which organization/company "owns" that block of MAC addresses. The NIC portion is then assigned by that company. If an organization does not expect to use a complete block of an OUI (3 octets), then the OUI can be shared among different companies (MA-M and MA-S).

1. MAC Address Block Large (MA-L) = entire OUI is utilized
2. MAC Address Block Medium (MA-M) = OUI is shared, first nibble (4-bits) in NIC is unique between companies
3. MAC Address Block Small (MA-S) = OUI is shared, first octet (8-bits) in NIC is unique between companies

By the way, Wireshark provides an OUI look-up tool:

https://www.wireshark.org/tools/oui-lookup.html