MAC Address Details Lookup

MAC Address Details

Processed the first MAC address only and ignored {{ extraLinesIgnored }} extra line(s).

MAC address:

Paste one address: AA:BB:CC:DD:EE:FF, AABB.CCDD.EEFF, or AABBCCDDEEFF.

Provider route:

Auto queries maclookup.app then macvendors.com; None keeps lookup offline.

Provider timeout:

Range: 500-15000 ms in 100 ms steps; raise only for slow provider responses.

Proxy fallback:

Enable only after direct vendor evidence fails or browser CORS blocks the route.

Identity action sensitivity:

Balanced fits normal triage; Strict is best before asset or security action.

Field	Value	Copy
{{ row.label }}	{{ row.value }}
No MAC details available Enter one valid EUI-48 or EUI-64 address to populate normalized formats and OUI fields.

Provider	Transport	Status	HTTP	Latency	Message	Copy
{{ row.provider }}	{{ row.transport }}	{{ row.status }}	{{ row.httpStatus }}	{{ row.latency }}	{{ row.message }}
No provider evidence available Use a provider route other than None to record remote vendor lookup attempts.

Priority	Action	Why now	Next check	Cadence	Copy
{{ row.priority }}	{{ row.action }}	{{ row.reason }}	{{ row.next_check }}	{{ row.cadence }}
No identity actions available Run a valid lookup so randomization, special-use, provider, and evidence signals can be ranked.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

MAC addresses identify network interfaces on a local link. They appear in Wi-Fi client lists, DHCP reservations, switch tables, packet captures, virtual machine settings, and asset inventories, so a pasted value often needs normalization before it can be compared reliably.

The first bytes can support a vendor lookup, but vendor attribution is only one part of the story. The first octet also carries the individual or group flag and the universal or local flag. Those bits explain why a value may be multicast, locally administered, randomized for privacy, manually assigned, or unsuitable as a stable device identity.

MAC address split into I/G bit, U/L bit, registered prefix bits, and interface-specific bits

Modern device privacy features and virtual networks make those structural clues important. A unicast locally administered address can be a temporary Wi-Fi address, a virtual interface, or a manual lab assignment. A clean vendor match can still be spoofed, stale, or too broad to identify a product model.

MAC lookup evidence works best as triage. Normalize the address, read the bit flags, compare provider evidence, and treat the vendor result as a prefix-owner clue rather than proof of physical device ownership.

How to Use This Tool:

Start with one address. The lookup accepts common EUI-48 and EUI-64 forms, normalizes the value, then adds provider evidence only when the selected route allows it.

Paste one value into MAC address. Accepted forms include colon-separated, hyphen-separated, dotted, compact 12-hex EUI-48, and compact 16-hex EUI-64 values.
If you paste a longer log line, check whether the result says a MAC-like token was extracted. If several lines were pasted, only the first non-empty address is processed.
Leave Provider route on Auto for ordinary vendor evidence, choose a named provider when you need one source specifically, or choose None (local only) when structure and privacy matter more than vendor attribution.
Use Provider timeout only when provider requests are slow or blocked. The accepted range is 500 to 15000 ms.
Enable Proxy fallback only when direct provider evidence fails and you are comfortable with the alternate transport shown in Provider Evidence.
Set Identity action sensitivity to Strict before asset or security decisions, or keep Balanced for normal triage.
If the error says the address must contain 12 or 16 hexadecimal digits, remove extra text or separators until one valid identifier remains.

Interpreting Results:

Read structural fields before attribution fields. Format, Address Class, Admin Class, First Octet Bits, Special Use, and Randomization Likelihood are derived from the supplied bytes. Vendor, Organization, Country, and block fields depend on provider data and request success.

MAC lookup result patterns and interpretation
Result pattern	What it supports	What to verify
Unicast and Universally administered with a vendor match	The address is a normal individual address and the prefix lookup found an assignee.	Check Provider Evidence before using the vendor as an inventory label.
Unicast and Locally administered	The address may be private, randomized, virtual, or manually assigned.	Compare repeat sightings before treating it as a stable device key.
Multicast, broadcast, all-zero, or a populated Special Use row	The value is probably a group, protocol, or placeholder address.	Follow the protocol context instead of assigning it to one endpoint.
Vendor unresolved with failed provider evidence	The address can still be structurally valid.	Retry later, raise the timeout, switch provider route, or compare a trusted local inventory.

A false positive is easy here: a vendor name does not prove the exact device, and a locally administered address does not prove privacy randomization. Use Identity Actions to see which follow-up is ranked highest, then verify against DHCP, switch, Wi-Fi controller, or endpoint-management evidence.

Technical Details:

An EUI-48 address has six octets, and an EUI-64 address has eight. The first octet is read bit by bit: the least significant bit is the individual or group flag, and the next bit is the universal or local flag. The first 24 bits form the common OUI-style prefix used by many vendor lookup services, while narrower assignment blocks can use longer prefixes.

Address normalization removes separators, validates hexadecimal length, then returns canonical colon format, hyphen format, and dotted format where it applies. The lookup also reports the 24-bit OUI in colon and hex form, a 36-bit prefix view when available, and the first-octet binary string so the flag reading is auditable.

Rule Core:

MAC address structural rules
Rule	Displayed field	Meaning
First octet bit 0 equals `0`	Address Class: Unicast	The address targets one interface.
First octet bit 0 equals `1`	Address Class: Multicast	The address is for group traffic, not one stable endpoint.
First octet bit 1 equals `0`	Admin Class: Universally administered	The prefix is more likely to align with registered assignment data.
First octet bit 1 equals `1`	Admin Class: Locally administered	The address may be randomized, virtual, or locally assigned.
`FF:FF:FF:FF:FF:FF` or all zeroes	Special Use	Broadcast or placeholder space, not a vendor-attributable endpoint.

Transformation Core:

IPv6 helper values are derived from bytes, not discovered from the network. For EUI-48 input, Modified EUI-64 flips the universal or local bit in the first octet, inserts FF:FE between the first three and last three bytes, groups the result into four hexadecimal words, and places it under fe80:: for a link-local candidate.

Example EUI-48 to Modified EUI-64 transformation
Stage	Value	Reading
Input	`44:38:39:FF:EF:57`	Six-byte EUI-48 value.
First octet after U/L flip	`46`	`44` XOR `02` changes the universal/local bit.
Modified EUI-64	`46:38:39:FF:FE:FF:EF:57`	`FF:FE` is inserted before the last three bytes.
SLAAC IID	`4638:39ff:feff:ef57`	The eight bytes are grouped as an IPv6 interface identifier.
Link-local Candidate	`fe80::4638:39ff:feff:ef57`	A deterministic candidate, not proof that a host is using that IPv6 address.

Reverse derivation from EUI-64 to EUI-48 is only meaningful when the eight-byte value contains the inserted FF:FE pattern in the expected middle position. Without that pattern, the bytes may still be a valid EUI-64, but they do not carry enough evidence for the same EUI-48 recovery.

Privacy Notes:

The structural parse, formatting, bit flags, special-use checks, and IPv6 helper values can be produced without a provider lookup. Vendor evidence requires the selected provider route unless Provider route is set to None (local only).

Choose None (local only) when the address should not be sent for external vendor evidence.
Remote vendor routes may expose the normalized address to the selected lookup provider and show success, warning, or failure details in Provider Evidence.
Proxy fallback changes the transport path. Use the Transport, HTTP, and Message fields before relying on provider attribution.

Worked Examples:

Normal vendor triage. Enter 44:38:39:ff:ef:57 and leave Provider route on Auto. Vendor Details should show the canonical colon form, Format as EUI-48 / MAC-48, first-octet bits, OUI fields, and any provider match that was returned. If a vendor appears, open Provider Evidence to confirm which route produced it.

Private Wi-Fi address. Enter a unicast address whose U/L bit is set, such as 02:11:22:33:44:55. Admin Class should read locally administered and Randomization Likelihood should warn that the value may be private, randomized, or manually assigned. Do not use the absence of a vendor as proof that the device is unknown.

Structure-only review. Choose None (local only) and enter an address from a sensitive packet capture. Vendor Details still reports canonical forms, OUI, first-octet bits, and helper values, while Provider Evidence remains empty because no provider route was used.

Bad paste cleanup. Paste a ticket line that contains several values. If an alert says extra lines were ignored, rerun each address separately. If an error reports an invalid length, keep one 12-hex or 16-hex identifier and remove surrounding log text.

FAQ:

Can a MAC address prove the device vendor?

No. A vendor match identifies a registered prefix or provider record, not the exact product model, current owner, or authenticity of the address. Check Provider Evidence and local inventory before acting on attribution.

Why does a locally administered address matter?

A locally administered address has the U/L bit set. That pattern is common in private Wi-Fi addressing, virtualization, and manual assignments, so Randomization Likelihood may warn against long-lived identity assumptions.

What happens when Provider route is set to None?

The lookup skips remote vendor evidence and reports only local structure such as normalized formats, OUI fields, bit flags, special-use hints, and IPv6 helper values.

Why did the lookup reject my pasted value?

The normalized value must contain either 12 hexadecimal digits for EUI-48 or 16 hexadecimal digits for EUI-64. Remove extra lines, labels, timestamps, and non-hex text, then rerun one identifier.

Glossary:

EUI-48: A 48-bit identifier commonly seen as a six-octet MAC address.
EUI-64: An eight-octet identifier that may appear in protocol traces and IPv6-related contexts.
OUI: The 24-bit prefix commonly used for registered assignment and vendor lookup evidence.
I/G bit: The first-octet bit that distinguishes individual addresses from group addresses.
U/L bit: The first-octet bit that distinguishes universally administered space from locally administered space.
Modified EUI-64: The IPv6-style transformation that flips the U/L bit and inserts FF:FE into an EUI-48 value.

References:

IEEE MA-L and OUI information, IEEE Standards Association.
IEEE Registration Authority FAQs, IEEE Standards Association.
RFC 4291: IP Version 6 Addressing Architecture, IETF, February 2006.