Tuesday, February 22, 2011

Identifying a Network Device by MAC/Hardware Address

If you are trying to identify a network device, and all you have is a MAC address for that device, you might try identifying which hardware vendor the MAC address range is associated with.  For example, I had a device connected to my wireless which had a MAC address starting with the prefix 30:69:4B.  I could not identify exactly which device it was, although it was most likely a valid one.

The device also did not show up in other tools, such as the Windows command line arp -a command, Angry IP Scanner or Colasoft's MAC Scanner, so identifying it that way was not possible.  ARP stands for Address Resolution Protocol, i.e. the protocol used to determine MAC addresses from IP addresses so that transmission at the link layer can occur.  You didn't forget your OSI model did you?  :)

Using http://hwaddress.com/ I was able to determine the device was a coworker's Blackberry phone which was associating with the wireless access point (AP).  The MAC prefix is owned by the manufacturer RIM/Research In Motion.  Another similar search site is Vendor/Ethernet/Bluetooth MAC Address Lookup and Search, although I didn't find what I was looking for on that one.


  1. none of these tools tell you the actual device they only tell you the vendor. Is there an actual tool that will tell you the actual type of device it is? If the first set of 24 bits is the vendor identifier then what is the last 24 bits? It should ID the type of device correct?

    1. kết giới sẽ nhanh hơn không ít.

      Lê Tiêu Dao cất tiếng nói với Nhạc Thành.

      - Chuyện này không nên chậm trễ, Yêu Huyên, Thanh Đồng, Hồng Loan, Đại Song, Tiểu Song các ngươi đi cùng ta, những người kia thì ở lại Song Phong thành.
      mu private
      tim phong tro
      nhac san cuc manh
      tổng đài tư vấn luật
      văn phòng luật
      tổng đài tư vấn pháp luật
      thành lập công ty
      chém gió
      trung tâm ngoại ngữ
      Nhạc Thành cất tiếng nói với mọi người.

      - Các ngươi cẩn thận một chút.

      Lê Tiêu Dao đem không gian ngọc giản mà giao cho Nhạc Thành.

      Nhạc Thành cầm lấy không gian ngọc giản xong thì lập tức bóp nát sau đó một lỗ hổng xuất hiện, Nhạc Thành cùng với Yêu Huyên, Thanh Đồng, Hồng Loan bọn họ tiến nhập vào trong không gian thông đạo.

  2. The bits that are remaining after taking out the organizational identifier/vendor prefix can be defined however the vendor wishes them to be defined, as far as I know. So it's possible some vendors might encode what type of device it is, but I haven't seen a list like that.

    You might use other information gleaned from a network port scan ("fingerprint") of a particular network device to try to determine what it is though (use responsibly!). For example, what ports it is listening on, if it responds to NetBIOS requests, etc. Also, a lot of devices like printers will return more device information when you hit certain ports on them.

  3. is there another way to find what actual device is presented by the mac?
    because all the address above only tells you the manufacturer not the device.

    1. Not that I am aware of, unless it is manufacturer specific data encoded into the MAC.

      See my comment from April 7th - you might be able to determine what the device is from network scans (use responsibly) on TCP/IP ports for a particular device. An ARP table from a network device on the same network segment (switch, firewall, etc. depending on your network topology) will tell you the mapping between MAC/IP, and you can go from there.

  4. Knowledge giving Article! I appreciate you. I completely agree with you. If we talk about current scenario then it is must be update. I enjoyed reading. I would like to visit more for more queries.
    MAC Address Change

  5. Great article. However, I would appreciate if you can shed some light on finding the actual device type.