Mac Addressing - Learning Module

Loading content...

0/228

OUI (Organizationally Unique Identifier)

The Vendor Fingerprint in Every MAC Address

Embedded in every universally administered MAC address is a 24-bit identifier that reveals the manufacturer of the network interface: the Organizationally Unique Identifier (OUI). This vendor 'fingerprint' is one of the most practical aspects of MAC addressing for network administrators.

With a simple OUI lookup, you can determine that a device on your network was manufactured by Apple, Cisco, Dell, or any of the thousands of registered organizations—invaluable for network inventory, security analysis, troubleshooting, and understanding traffic patterns.

This page explores the OUI system in depth: its structure, how to perform lookups, notable OUI assignments, and practical applications for network administration.

What You Will Learn

By the end of this page, you will understand the OUI structure within MAC addresses, how to perform vendor lookups using IEEE databases and tools, the significance of notable OUI assignments, and how to leverage OUI information for network management and security.

OUI Structure and Extraction

The OUI occupies the first 24 bits (3 bytes) of a 48-bit MAC address. It is assigned by the IEEE Registration Authority to uniquely identify the organization responsible for the network interface.

OUI extraction from a MAC address:

MAC Address: 3C:22:FB:A1:B2:C3
            |_____|     |_____|  
              ↓           ↓
             OUI    Device Specific
           3C:22:FB      A1:B2:C3

Important notes on OUI extraction:

First 3 bytes only: The OUI is exactly the first 3 bytes (6 hex characters)
Case insensitive: 3C:22:FB = 3c:22:fb for lookup purposes
Separator agnostic: Works regardless of colon, hyphen, or no separator format
Only valid for UAA: Locally administered addresses (U/L bit = 1) don't have meaningful OUIs

OUI Structure Overview
Component	Bits	Position	Purpose
First Byte	8 bits	Byte 1 (most significant)	Contains I/G and U/L bits + 6 OUI bits
Second Byte	8 bits	Byte 2	Middle portion of OUI
Third Byte	8 bits	Byte 3	Least significant byte of OUI
Bytes 4-6	24 bits	Bytes 4-6	NIC-specific (vendor assigned)

The relationship between OUI and special bits:

The first byte of the OUI contains two special bits that affect interpretation:

Bit	Name	OUI Interpretation
Bit 0 (I/G)	Individual/Group	If 1, this is a multicast OUI (special purpose)
Bit 1 (U/L)	Universal/Local	If 1, the 'OUI' is not IEEE-assigned (locally administered)

For standard vendor-assigned unicast addresses:

Bit 0 = 0 (unicast)
Bit 1 = 0 (universally administered)
The remaining 22 bits of the OUI + the full OUI identify the vendor

OUI format in databases:

The IEEE and most lookup tools present OUIs in these formats:

Colon format: 3C:22:FB
Hyphen format: 3C-22-FB
No separator: 3C22FB
With company: 3C-22-FB (Apple, Inc.)

oui_extraction
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
def extract_oui(mac_address: str) -> dict:
    """
    Extract OUI and validate MAC address properties.
    """
    # Normalize: remove separators and convert to uppercase
    mac_clean = mac_address.upper().replace(':', '').replace('-', '').replace('.', '')
    
    if len(mac_clean) != 12:
        raise ValueError(f"Invalid MAC address length: {mac_address}")
    
    # Extract OUI (first 6 hex characters = 3 bytes)
    oui = mac_clean[:6]
    oui_formatted = f"{oui[:2]}:{oui[2:4]}:{oui[4:6]}"
    
    # Extract device-specific portion
    nic_specific = mac_clean[6:]
    
    # Analyze first byte for special bits
    first_byte = int(mac_clean[:2], 16)
    is_multicast = bool(first_byte & 0x01)    # Bit 0
    is_local = bool(first_byte & 0x02)        # Bit 1
    
    return {
        'original': mac_address,
        'oui': oui_formatted,
        'oui_raw': oui,
        'nic_specific': nic_specific,
        'is_multicast': is_multicast,
        'is_locally_administered': is_local,
        'oui_valid_for_lookup': not is_local  # LAA OUIs aren't in IEEE database
    }
 
# Examples
print(extract_oui("3C:22:FB:A1:B2:C3"))
# {'oui': '3C:22:FB', 'is_locally_administered': False, ...}
 
print(extract_oui("02:00:00:00:00:01"))
# {'oui': '02:00:00', 'is_locally_administered': True, 'oui_valid_for_lookup': False}

The IEEE OUI Database

The IEEE maintains the authoritative, publicly accessible database of all registered OUI assignments. This database is the foundation for all vendor identification based on MAC addresses.

Accessing the IEEE OUI database:

1. Web Interface:

URL: https://regauth.standards.ieee.org/standards-ra-web/pub/view.html
Search by OUI, company name, or address
Provides official registration details

2. Downloadable Files:

URL: https://standards-oui.ieee.org/
Available formats: CSV, TXT
Updated regularly (typically weekly)
Can be integrated into local tools and scripts

Database file formats:

IEEE OUI Database Formats
File	Format	Contents	Use Case
oui.txt	Text, pipe-delimited	OUI \| Organization \| Address	Simple lookup scripts
oui.csv	CSV	Registry, Assignment, Organization, Address	Spreadsheet analysis
mam.txt/.csv	Text/CSV	MA-M (medium) assignments	28-bit prefix lookups
oui36.txt/.csv	Text/CSV	MA-S (small) / IAB assignments	36-bit prefix lookups

Sample OUI database entries:

MA-L Registry Format (oui.txt):

3C-22-FB   (hex)    Apple, Inc.
3C22FB     (base 16)    Apple, Inc.
                    1 Apple Park Way
                    Cupertino CA 95014
                    US

00-50-56   (hex)    VMware, Inc.
005056     (base 16)    VMware, Inc.
                    3401 Hillview Avenue
                    Palo Alto CA 94304
                    US

Database update frequency:

The IEEE updates the OUI database as new assignments are made. For network tools:

Enterprise tools: Often include weekly or monthly OUI database updates
Wireshark: Updates manuf file with releases; can be manually refreshed
Custom scripts: Should periodically download fresh database files

Confidential registrations:

Some organizations request private/confidential OUI registrations. These appear in the database as:

XX-XX-XX   (hex)    Private

These organizations have paid for confidentiality, often for competitive, military, or security reasons.

Wireshark's manuf File

Wireshark maintains a 'manuf' file that extends the IEEE database with well-known non-registered prefixes (like virtual machine MAC ranges). Located in the Wireshark installation directory, this file can be updated manually: Help > About > Folders > Personal Configuration, then download an updated manuf file.

OUI Lookup Methods and Tools

Multiple methods exist for performing OUI lookups, from simple web tools to integrated network management solutions. Choose the appropriate method based on your scale and integration needs.

Method 1: Online Lookup Tools

Several websites provide instant OUI lookup:

https://regauth.standards.ieee.org/standards-ra-web/pub/view.html (Official IEEE)
https://macaddress.io/ (API available)
https://maclookup.app/
https://www.wireshark.org/tools/oui-lookup.html

Method 2: Command-Line Tools

oui_lookup_commands
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
# === Using arp-scan (includes OUI database) ===
# Install: apt install arp-scan (Debian/Ubuntu)
 
# Scan local network with vendor identification
sudo arp-scan --localnet
 
# Sample output:
# 192.168.1.1   3c:22:fb:11:22:33   Apple, Inc.
# 192.168.1.50  00:50:56:aa:bb:cc   VMware, Inc.
 
# Update the OUI database
sudo arp-scan --update
 
# Query specific MAC
arp-scan --quiet --localnet | grep "3c:22:fb"
 
# === Using nmap ===
# nmap includes MAC vendor database
nmap -sn 192.168.1.0/24
# Shows: MAC Address: 3C:22:FB:11:22:33 (Apple)
 
# === Manual lookup from IEEE database ===
# Download and search
curl -s https://standards-oui.ieee.org/oui/oui.txt | grep -i "Apple"
 
# Create local lookup script
curl -s https://standards-oui.ieee.org/oui/oui.txt > /usr/local/share/oui.txt
grep "^$(echo "3C:22:FB" | tr ':' '-' | tr '[:lower:]' '[:upper:]')" /usr/local/share/oui.txt

Method 3: Network Management Integration

Enterprise network tools typically integrate OUI databases:

Tool Category	Examples	OUI Capability
SNMP/NMS	PRTG, Nagios, Zabbix	Device identification by MAC
Packet Analyzers	Wireshark, tcpdump	Real-time vendor display
NAC Systems	Cisco ISE, Aruba ClearPass	Vendor-based policy enforcement
SIEM	Splunk, QRadar	Enrichment of MAC fields
Network Inventory	Lansweeper, Spiceworks	Automatic vendor identification

Method 4: Programmatic API Access

For integration into custom applications:

import requests

def lookup_oui_api(mac_address):
    # Using macaddress.io API (registration required for high volume)
    api_key = 'your-api-key'
    url = f'https://api.macaddress.io/v1?apiKey={api_key}&output=json&search={mac_address}'
    response = requests.get(url)
    data = response.json()
    return data.get('vendorDetails', {}).get('companyName', 'Unknown')

Rate Limiting Considerations

When using online OUI lookup APIs, be mindful of rate limits. For bulk lookups (hundreds or thousands of MACs), download the IEEE database locally and query offline. This is faster, doesn't hit rate limits, and works without internet connectivity.

Notable OUI Assignments

Certain OUIs appear so frequently in network analysis that experienced engineers recognize them instantly. Learning these common OUIs accelerates troubleshooting and network understanding.

Major Hardware Vendors:

Common Hardware Vendor OUIs
OUI(s)	Vendor	Typical Devices
`00:00:0C`, `00:1A:A1`, `3C:F8:62`	Cisco Systems	Routers, switches, access points
`3C:22:FB`, `A8:66:7F`, `DC:A4:CA`	Apple, Inc.	iPhones, Macs, iPads, Apple TV
`00:E0:4C`, `28:6E:D4`	Realtek	Consumer NICs, USB adapters
`F8:1D:78`, `DC:53:60`	Intel Corporate	Server NICs, laptop wireless
`B4:2E:99`, `18:C0:4D`	GIGA-BYTE Technology	Motherboard integrated NICs
`00:1A:11`, `3C:5A:B4`	Google, Inc.	Chromecast, Nest, Pixel devices
`EC:A8:6B`, `54:E1:AD`	TP-Link	Consumer routers, switches

Virtualization Platform OUIs:

These OUIs indicate virtual machines or containers:

Virtualization OUI Prefixes
OUI/Prefix	Platform	Notes
`00:50:56`	VMware ESXi/vSphere	Most common; static assignment range available
`00:0C:29`	VMware Workstation/Fusion	Auto-generated for desktop VMs
`00:15:5D`	Microsoft Hyper-V	All Hyper-V VM interfaces
`52:54:00`	QEMU/KVM (libvirt)	Default for libvirt-managed VMs
`08:00:27`	VirtualBox	Oracle VM VirtualBox
`00:16:3E`	Xen	Xen hypervisor VMs
`02:42:XX`	Docker	LAA range; XX varies per container

IoT and Embedded Device OUIs:

Common IoT Vendor OUIs
OUI(s)	Vendor	Products
`DC:A6:32`, `B8:27:EB`	Raspberry Pi	Pi boards and compute modules
`24:A1:60`, `B4:E6:2D`	Espressif	ESP8266, ESP32 WiFi modules
`50:C7:BF`, `18:B4:30`	Ring (Amazon)	Doorbells, cameras
`00:17:88`	Philips Hue/Signify	Smart lighting
`44:67:55`, `2C:F4:32`	Amazon Technologies	Echo, Fire TV
`64:16:66`	Nest Labs	Thermostats, cameras

Learn the Big Players

Memorizing the OUIs for Cisco (00:00:0C), VMware (00:50:56), Hyper-V (00:15:5D), Apple (multiple), and Intel (multiple) will speed up your network analysis significantly. When you see these prefixes, you immediately have context about the device type.

OUI in Network Security

OUI analysis is a valuable tool in network security, providing device identification that aids in threat detection, access control, and forensic analysis. However, it's important to understand both the capabilities and limitations.

Security applications of OUI analysis:

OUI-Based Security Techniques

•Device profiling: Identify device types on the network. Unexpected IoT devices (Espressif, Amazon) on a corporate network may indicate shadow IT
•Network Access Control (NAC): Deny or quarantine devices from unrecognized vendors. Consumer routers (TP-Link, D-Link) on an enterprise network might indicate unauthorized equipment
•Threat detection: A sudden appearance of many new MAC addresses from unusual OUIs could indicate an attack or rogue devices
•Forensic analysis: In incident response, OUI helps identify the physical device involved—matching to inventory or helping track down compromised endpoints
•Policy enforcement: Restrict certain vendor devices from specific VLANs (e.g., only Cisco APs allowed on wireless infrastructure VLAN)

OUI-based access control example:

A Cisco switch can be configured to restrict port access based on OUI:

! Allow only specific vendor OUIs on a port
mac access-list extended ALLOWED-VENDORS
 permit host 0050.5600.0000 0000.00ff.ffff  ! VMware
 permit host 0015.5d00.0000 0000.00ff.ffff  ! Hyper-V
 deny any
!
interface GigabitEthernet0/1
 mac access-group ALLOWED-VENDORS in

NAC vendor profiling:

Network Access Control systems use OUI as one factor in device profiling:

Device connects to network
NAC observes MAC address, extracts OUI
OUI maps to vendor (Apple, Dell, Unknown)
Combined with other factors (DHCP fingerprint, HTTP user-agent, certificates)
Device is classified and assigned appropriate access level

OUI Spoofing: A Critical Limitation

MAC addresses (including OUI) can be easily spoofed. An attacker can configure their device to use any MAC prefix, mimicking a trusted vendor. OUI-based security should never be the sole access control mechanism—always combine with stronger authentication (802.1X, certificates, credentials).

Detecting OUI anomalies:

Anomaly	Possible Indication	Response
Unknown OUI	New vendor, LAA, or spoofed MAC	Investigate device
LAA on unexpected port	VM, container, or spoofed device	Check if authorized
Consumer OUI on infrastructure port	Rogue device	Quarantine and investigate
Sudden OUI diversity spike	New devices or attack	Analyze traffic patterns
OUI mismatch with device behavior	Spoofing attempt	Deep inspection, potential block

Detection script example:

# Alert on unexpected OUIs
ALLOWED_OUIS = {'00:50:56', '00:15:5D', '00:1A:A1'}  # VMware, Hyper-V, Cisco

def check_mac(mac_address):
    oui = ':'.join(mac_address.upper().split(':')[:3])
    if oui not in ALLOWED_OUIS:
        alert(f"Unexpected OUI detected: {oui} from {mac_address}")

OUI for Network Inventory and Troubleshooting

OUI analysis is invaluable for building and maintaining network inventories, understanding network composition, and accelerating troubleshooting.

Building network inventory with OUI:

The process of inventorying devices by OUI:

Collect MAC addresses from switches (show mac address-table), ARP caches, DHCP lease tables
Enrich with OUI lookup to add vendor information
Correlate with other sources (hostname, IP, DHCP options, certificates)
Classify devices by type based on vendor and behavior
Maintain in CMDB or asset management system

inventory_script
Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
#!/usr/bin/env python3
"""
Network Inventory Script with OUI Enrichment
Collects MACs from switch and enriches with vendor data.
"""
import csv
import subprocess
from collections import defaultdict
 
# Load OUI database (simplified - use local file for production)
OUI_DB = {}
with open('/usr/local/share/oui.txt', 'r') as f:
    for line in f:
        if '(hex)' in line:
            parts = line.split('(hex)')
            oui = parts[0].strip().replace('-', ':').upper()
            vendor = parts[1].strip()
            OUI_DB[oui] = vendor
 
def lookup_oui(mac):
    """Lookup vendor from MAC address OUI."""
    oui = ':'.join(mac.upper().split(':')[:3])
    return OUI_DB.get(oui, 'Unknown Vendor')
 
def get_switch_macs():
    """Get MACs from switch (example using SSH/expect or Netmiko)."""
    # Placeholder - replace with actual switch query
    return [
        {'mac': '3C:22:FB:11:22:33', 'vlan': 10, 'port': 'Gi0/1'},
        {'mac': '00:50:56:AA:BB:CC', 'vlan': 20, 'port': 'Gi0/2'},
        {'mac': '00:15:5D:12:34:56', 'vlan': 20, 'port': 'Gi0/3'},
    ]
 
def build_inventory():
    """Build enriched inventory."""
    macs = get_switch_macs()
    inventory = []
    vendor_count = defaultdict(int)
    
    for entry in macs:
        vendor = lookup_oui(entry['mac'])
        vendor_count[vendor] += 1
        inventory.append({
            'MAC': entry['mac'],
            'Vendor': vendor,
            'VLAN': entry['vlan'],
            'Port': entry['port']
        })
    
    # Output inventory
    print("\n=== Network Inventory Report ===\n")
    for item in inventory:
        print(f"{item['MAC']} | {item['Vendor']:30} | VLAN {item['VLAN']} | {item['Port']}")
    
    print("\n=== Vendor Summary ===")
    for vendor, count in sorted(vendor_count.items(), key=lambda x: -x[1]):
        print(f"  {count:4d} devices: {vendor}")
 
if __name__ == '__main__':
    build_inventory()

Troubleshooting with OUI knowledge:

Scenario	OUI Insight
Strange device on network	OUI reveals it's a Raspberry Pi → likely lab device or IoT project
Connectivity issues	OUI shows Realtek NIC → known driver issues with certain chipsets
Slow VM performance	OUI shows emulated NIC (00:50:56) → check virtio vs. E1000
Duplicate IP alert	OUI shows one is VMware, one is VirtualBox → VM environment overlap
Unauthorized AP	OUI shows TP-Link → unauthorized consumer equipment

Network composition analysis:

Aggregating OUI data reveals network composition:

Vendor Distribution - Production VLAN:
  HPE ProLiant (NICs):     45%
  Dell Inc.:               30%  
  VMware:                  15%
  Intel (controllers):     10%

Vendor Distribution - Guest WiFi:
  Apple:                   40%
  Samsung:                 25%
  Google (Android):        20%
  Unknown/Other:           15%

This information helps with capacity planning, security posture assessment, and understanding the device ecosystem.

Automated Inventory Enrichment

Tools like Lansweeper, PRTG, and open-source solutions like NetBox can automatically enrich discovered devices with OUI vendorinformation. This saves manual lookup time and keeps inventory current.

Summary: OUI Essentials

This page has provided a comprehensive examination of the OUI system—the vendor identifier embedded in every MAC address. Let's consolidate the key points:

Key Takeaways

•OUI is the first 24 bits (3 bytes) of a MAC address, identifying the manufacturer or organization
•IEEE maintains the authoritative OUI database at standards-oui.ieee.org, updated regularly and publicly accessible
•Multiple lookup methods exist: web tools, command-line utilities (arp-scan, nmap), programmatic APIs, and integrated network tools
•Learn common OUIs: Cisco (00:00:0C), VMware (00:50:56), Hyper-V (00:15:5D), Apple, Intel for faster analysis
•Security applications include device profiling, NAC policies, anomaly detection, and forensic analysis—but beware that MAC/OUI can be spoofed
•Network inventory benefits from automated OUI enrichment to understand device composition and accelerate troubleshooting
•Locally administered addresses (U/L bit = 1) don't have valid OUIs for lookup—they indicate VMs, containers, or administrative overrides

Looking ahead:

With OUI understanding complete, the next page examines Address Resolution—specifically, how the Address Resolution Protocol (ARP) bridges the gap between Layer 3 IP addresses and Layer 2 MAC addresses, enabling actual frame delivery on Ethernet networks.

Page Complete

You now understand the OUI system that identifies vendors within MAC addresses—from the IEEE registration structure through practical lookup methods, notable assignments worth memorizing, and applications in security and network inventory management.