Tuesday, February 22, 2011

Identifying a Network Device by MAC/Hardware Address

If you are trying to identify a network device, and all you have is a MAC address for that device, you might try identifying which hardware vendor the MAC address range is associated with.  For example, I had a device connected to my wireless which had a MAC address starting with the prefix 30:69:4B.  I could not identify exactly which device it was, although it was most likely a valid one.

The device also did not show up in other tools, such as the Windows command line arp -a command, Angry IP Scanner or Colasoft's MAC Scanner, so identifying it that way was not possible.  ARP stands for Address Resolution Protocol, i.e. the protocol used to determine MAC addresses from IP addresses so that transmission at the link layer can occur.  You didn't forget your OSI model did you?  :)

Using http://hwaddress.com/ I was able to determine the device was a coworker's Blackberry phone which was associating with the wireless access point (AP).  The MAC prefix is owned by the manufacturer RIM/Research In Motion.  Another similar search site is Vendor/Ethernet/Bluetooth MAC Address Lookup and Search, although I didn't find what I was looking for on that one.


  1. none of these tools tell you the actual device they only tell you the vendor. Is there an actual tool that will tell you the actual type of device it is? If the first set of 24 bits is the vendor identifier then what is the last 24 bits? It should ID the type of device correct?

  2. The bits that are remaining after taking out the organizational identifier/vendor prefix can be defined however the vendor wishes them to be defined, as far as I know. So it's possible some vendors might encode what type of device it is, but I haven't seen a list like that.

    You might use other information gleaned from a network port scan ("fingerprint") of a particular network device to try to determine what it is though (use responsibly!). For example, what ports it is listening on, if it responds to NetBIOS requests, etc. Also, a lot of devices like printers will return more device information when you hit certain ports on them.

  3. is there another way to find what actual device is presented by the mac?
    because all the address above only tells you the manufacturer not the device.

    1. Not that I am aware of, unless it is manufacturer specific data encoded into the MAC.

      See my comment from April 7th - you might be able to determine what the device is from network scans (use responsibly) on TCP/IP ports for a particular device. An ARP table from a network device on the same network segment (switch, firewall, etc. depending on your network topology) will tell you the mapping between MAC/IP, and you can go from there.

  4. Knowledge giving Article! I appreciate you. I completely agree with you. If we talk about current scenario then it is must be update. I enjoyed reading. I would like to visit more for more queries.
    MAC Address Change

  5. Great article. However, I would appreciate if you can shed some light on finding the actual device type.