MAC Address Vendor Lookup & OUI Tracker
OUI vendor lookup, randomization detection, BLE identification, and format conversion.
The MAC Address Analyzer decodes any MAC address to identify the hardware vendor via OUI lookup, determines whether the address is globally unique or locally administered (randomized), infers device class, detects Bluetooth Low Energy address ranges, and outputs the address in multiple standard formats.
MAC Address Vendor Lookup
How to Use
Work through these steps in order. Use this tool for educational and ethical purposes only.
| 1 | Select MAC Address Analyzer from the tool navigation. |
| 2 | Enter the MAC address in any common format: colon-separated (AA:BB:CC:DD:EE:FF), hyphen-separated, or bare hex. |
| 3 | Click Analyze. The tool normalizes the input and starts the OUI lookup. |
| 4 | Review the Vendor panel showing the registered organization name from the OUI database. |
| 5 | Check the Address Type field: Global (manufacturer-assigned) or Local (randomized/private). |
| 6 | Review the Multicast/Unicast indicator based on the least-significant bit of the first octet. |
| 7 | Check the BLE Detection row to see whether the OUI falls within known Bluetooth Low Energy address ranges. |
| 8 | Review the Format Conversion panel for EUI-64, Cisco dot notation, and bare hex outputs. |
What Is a MAC Address?
A MAC (Media Access Control) address is a 48-bit hardware identifier assigned to every network interface controller (NIC). It operates at Layer 2 of the OSI model, the Data Link layer, where devices communicate on local networks before IP routing takes over.
Every MAC address has two halves. The first 24 bits form the OUI (Organizationally Unique Identifier), which the IEEE assigns to hardware manufacturers. A device with OUI AC:DE:48, for example, maps to a specific chipmaker. The second 24 bits are the NIC-specific identifier, assigned by the manufacturer to distinguish individual units.
This structure is why MAC lookups work: the OUI is a public manufacturer registry. When a device sends traffic, the source MAC in every Ethernet frame reveals which company built the NIC.
MAC addresses serve several roles in network infrastructure. Switches use MAC address tables to forward frames to the correct port without flooding the network. DHCP servers log client MACs to assign consistent IP leases and track connected devices. Many networks use MAC-based allowlists as a basic access control layer. In incident response, MACs captured in switch logs, ARP caches, or packet captures can tie network activity to a specific physical device.
MAC Randomization and Privacy
When you enter a MAC like 02:00:00:00:00:01, the result shows “Randomized / Local (No Vendor)” with a yellow Privacy Warning. This is intentional device behavior, not a lookup error.
The second bit of the first byte is the Administration bit. When set to 1, the address is Locally Administered (LAA). When 0, it is Globally Unique (UAA), a factory-assigned identifier tied to a real manufacturer. The OUI prefix 02:00:00 sets that bit, which is why the Technical Details table shows “Local (LAA)” under Administration.
Apple introduced per-network MAC randomization in iOS 14 (2020). Google followed with Android 10+. Both systems generate a new random MAC for each Wi-Fi network a device joins and rotate it periodically. The Device Intelligence panel classifies these as “Modern Mobile Device (iOS 14+ / Android 10+) using MAC Randomization.”
Before randomization, retail analytics companies and venue operators used MACs passively captured from Wi-Fi probe requests to track users across locations. A globally unique MAC was a stable, hardware-bound fingerprint. Randomization eliminates this by generating LAA addresses the device creates locally, with no vendor to return.
Practical implications for network admins:
- DHCP reservations: MAC-based static IP assignments break when clients randomize their address. Most enterprise environments now rely on 802.1X certificate-based authentication instead.
- MAC filtering: As an access control mechanism, MAC filtering is largely ineffective against modern mobile devices.
- Device inventory tools: Network scanners that identify devices by OUI will misclassify or fail to identify randomized devices, returning “Unknown” or “Local.”
Detecting whether a MAC is randomized is a standard first step in any network investigation. This tool surfaces that information immediately through the Administration field and the colored alert banner.
MAC Addresses in Investigations
MAC addresses appear across forensic, security, and OSINT workflows. Knowing when they provide reliable evidence, and when they mislead, is critical for any analyst.
When MACs reliably help:
Routers, switches, access points, printers, IoT sensors, and most enterprise hardware still use globally administered MACs. A lookup on a specific OUI can instantly confirm a router vendor, narrowing the field of devices on a network segment.
Managed switches maintain MAC address tables mapping hardware addresses to physical ports. When an incident involves unauthorized network access, these logs can trace which port, and therefore which physical location, a device connected from. DHCP servers log the MAC alongside every assigned IP and timestamp, so cross-referencing a suspicious IP with DHCP logs often surfaces the associated MAC and device type.
Industrial control systems, medical devices, and building automation equipment typically cannot implement MAC randomization, so MAC-based identification remains highly reliable in OT/ICS environments. In packet captures (e.g., Wireshark), running OUIs through a lookup is a standard enrichment step to annotate device types without needing full IP-to-hostname resolution.
When MACs mislead:
Any MAC starting with 02, 06, 0A, or 0E in the first byte should be treated as potentially randomized. This tool flags it immediately through the Administration indicator.
Any OS can change its reported MAC in software. A threat actor can broadcast any MAC, including one matching a trusted vendor’s OUI. A lookup returning “Cisco Systems” does not confirm the device is Cisco hardware; it confirms only that the address was registered to Cisco, or that someone is spoofing it.
Virtual machines and containers use software-assigned MACs that may or may not map to real OUI registrations. ARP cache entries may reflect a device that was on the network hours ago, not the current occupant of that IP.
Treat a MAC address as a starting point, not a conclusion. Use it alongside IP geolocation, DHCP timestamps, NetFlow data, and endpoint logs for a complete picture.
Technical Details
MAC addresses follow IEEE 802. The first 24 bits (the OUI, or Organizationally Unique Identifier) identify the hardware manufacturer when the address is globally administered. The tool queries the macvendors.co API for OUI resolution with a local fallback.
Randomization detection reads bit 1 of the first octet, the locally administered bit. If it is set, the address was not assigned by a manufacturer. iOS 14+, Android 10+, and Windows 10 all generate randomized MACs for Wi-Fi privacy by default. In network forensics, a locally administered address cannot be tied to a physical device vendor.
Multicast detection reads bit 0 of the first octet. Multicast MACs are never assigned to individual hardware and indicate group or broadcast traffic only.
BLE address detection checks whether the OUI falls within ranges commonly used for Bluetooth Low Energy peripherals. This is useful for wireless forensics and IoT device profiling.
Typical use cases: network access control auditing, rogue device detection, wireless forensics, and IoT device classification.
Pros & Cons
| Pros | Cons |
| ✓ Randomization detection adds critical context for modern mobile device forensics | ✗ OUI lookup depends on the macvendors.co API, so offline use falls back to a local database |
| ✓ BLE range identification helps classify IoT and wearable devices on the network | ✗ Randomized MACs return no vendor data, which limits device identification |
| ✓ Multi-format output saves manual conversion time during documentation | ✗ Does not cross-reference OUI values against known spoofed or malicious ranges |
Related Network Intelligence Tools
Frequently Asked Questions
What does a MAC address vendor lookup actually tell you?
It queries the IEEE OUI database and returns the company that registered the first three bytes (OUI prefix) of the address. It also reveals whether the address is Unicast or Multicast and whether it is Globally Administered (factory-assigned) or Locally Administered (software-generated or randomized). It does not reveal the device owner’s name, location, or IP address.
Why does my MAC address show "Randomized / Local (No Vendor)"?
The MAC has its Locally Administered (LAA) bit set: the second least significant bit of the first byte equals 1. Modern smartphones running iOS 14+, Android 10+, and recent Windows 10/11 builds generate random LAA addresses for each Wi-Fi network to prevent tracking. No manufacturer owns these addresses because the device created them locally.
Can a MAC address lookup identify a specific person or device owner?
No. It identifies only the hardware manufacturer registered to the OUI prefix. MAC addresses are not publicly linked to personal identities. Attributing a MAC to a person requires access to private records such as DHCP logs, ISP data, or corporate device inventories, plus the legal authority to obtain them.
Can a MAC address be faked?
Yes. MAC addresses can be changed in software on virtually all modern operating systems without special hardware (MAC spoofing). A spoofed address can impersonate any OUI, including trusted vendor prefixes. Always corroborate MAC-based identification with additional network evidence rather than treating it as definitive proof.
What is the difference between a Unicast and Multicast MAC address?
The least significant bit of the first byte determines this. A 0 means the frame targets a single device (Unicast). A 1 means the frame targets a group of devices (Multicast), used in protocols like IGMP, mDNS, and Spanning Tree. Most device MACs are Unicast; Multicast addresses are typically assigned to network protocols, not individual hardware.
For Business Inquiries, Sponsorship's & Partnerships
(Response Within 24 hours)
