1. Library
  2. Computer Networks
  3. Routing and Networks
  4. Local Networks

What Are MAC Addresses?

Updated 8 hours ago

Every packet that reaches your network faces a final challenge: finding the actual machine it's destined for. IP addresses got it this far—to the right network, the right building. But now it needs to reach a specific port on a specific switch connected to a specific device. That's what MAC addresses do. They're the last mile of delivery.

IP addresses are like street addresses—they tell you where to deliver. MAC addresses are like the recipient's face—they're how you know you've found the right person when you get there.

The Format

MAC addresses are 48-bit numbers, typically written as six pairs of hexadecimal digits:

00:1A:2B:3C:4D:5E

Sometimes you'll see hyphens (00-1A-2B-3C-4D-5E) or no separators at all. The format varies, but the meaning is the same: a unique identifier for a piece of network hardware.

The 48 bits provide roughly 281 trillion possible addresses. That seemed infinite when Ethernet was invented in the 1970s. It's still adequate today, though the IEEE has defined 64-bit addresses (EUI-64) for future use.

The Structure Tells a Story

A MAC address isn't random. It's structured:

First three octets (24 bits): The OUI (Organizationally Unique Identifier), assigned by the IEEE to manufacturers. Intel has its OUIs. Apple has different ones. You can look up any MAC address prefix and discover who made the hardware.

Last three octets (24 bits): Assigned by the manufacturer to individual devices. Each network interface that rolls off their production line gets a unique combination.

So when you see 00:1A:2B:3C:4D:5E, the first half tells you the manufacturer, the second half identifies the specific device. It's like a serial number with the company name built in.

"Burned In" (Sort Of)

MAC addresses are called "burned-in addresses" because they're written into the network interface hardware at the factory. The term suggests permanence—this address will follow this hardware forever.

Except it won't, necessarily. Most operating systems let you change the MAC address your interface presents to the network. It's called "spoofing," and it takes about thirty seconds. The original burned-in address still exists in the hardware, but the network sees whatever you tell it to see.

This matters for understanding what MAC addresses actually provide: identity, not security. They identify hardware, but they don't authenticate it.

How They Work in Practice

MAC addresses operate at Layer 2—the Data Link layer. They enable communication between devices on the same local network:

  1. Your computer wants to send data to another device on the local network
  2. It constructs an Ethernet frame with the destination MAC address, source MAC address, and the actual data
  3. The switch receives the frame, checks its MAC address table, and forwards the frame only to the port where that destination MAC address lives
  4. The destination device receives the frame and processes it

Switches learn MAC addresses by watching traffic. When a frame arrives on port 5 with source MAC AA:BB:CC:DD:EE:FF, the switch remembers: "that MAC address is reachable through port 5." Over time, it builds a complete map.

Here's the crucial limitation: MAC addresses only matter locally. When your packet travels across the Internet, through router after router, the MAC addresses change at every hop. Each router strips off the old Ethernet frame and wraps the packet in a new one with new MAC addresses—its own source MAC and the next hop's destination MAC. The IP addresses stay constant end-to-end. The MAC addresses are local to each network segment.

Unicast, Multicast, Broadcast

Unicast addresses identify individual devices. Most MAC addresses you'll encounter are unicast—one sender, one recipient.

Multicast addresses represent groups. Traffic sent to a multicast MAC reaches all devices that have joined that group. The first bit of the first octet is set to 1, signaling "this is multicast."

Broadcast is the special address FF:FF:FF:FF:FF:FF—all bits set to 1. Traffic sent here reaches every device on the local network. It's the network equivalent of shouting into a room.

ARP: The Bridge Between Worlds

Your application knows IP addresses. Your network hardware knows MAC addresses. Something has to translate between them. That something is ARP—Address Resolution Protocol.

When your computer needs to reach 192.168.1.50 on the local network but doesn't know its MAC address, it broadcasts an ARP request: "Who has 192.168.1.50?"

The device with that IP responds: "I do, and my MAC address is AA:BB:CC:DD:EE:FF."

Your computer caches this mapping and can now construct frames with the correct destination MAC. For traffic destined for the broader Internet, your computer uses ARP to find the gateway's MAC address—then sends all outbound frames there, trusting the gateway to route them onward.

Privacy and Security

MAC addresses create both privacy concerns and security illusions.

The privacy problem: Your MAC address is unique and doesn't change (normally). When your phone's Wi-Fi is on, it broadcasts probe requests looking for known networks—and those probes contain your MAC address. Retailers, airports, and others can track these to follow your movements. Modern devices now use MAC randomization, sending fake random addresses in probes to prevent tracking.

The security illusion: MAC filtering sounds secure—only allow connections from approved MAC addresses. But since MAC addresses can be spoofed in seconds, this stops casual intruders at best. It's a speed bump, not a wall.

ARP attacks: Since ARP has no authentication, attackers can send false ARP replies claiming to be the gateway. Victims send their traffic to the attacker's MAC address instead of the real gateway. This is ARP spoofing, and it's why secure networks use additional protections.

Wireless Wrinkles

Wireless networks add terminology:

BSSID (Basic Service Set Identifier) is the MAC address of an access point. It's how your device distinguishes between different APs, even if they broadcast the same network name.

SSID is the human-readable network name ("CoffeeShop_WiFi"). The BSSID is the underlying hardware identity.

Modern phones randomize their MAC addresses even when connected to wireless networks, not just when scanning. Your device presents a different MAC to different networks, making it harder to correlate your presence across locations.

Virtual MACs

Not every MAC address corresponds to physical hardware:

Virtual machines need MAC addresses for their virtual network interfaces. Hypervisors assign these from a special range designated for "locally administered" addresses.

Bonded interfaces—multiple physical NICs acting as one—present a single virtual MAC to the network.

Containers, virtual routers, and software-defined networking all create MAC addresses that exist only in software. The abstraction holds: every interface that participates in Ethernet needs a MAC address, physical or not.

Finding MAC Addresses

Windows: ipconfig /all — look for "Physical Address"

macOS/Linux: ifconfig or ip link — look for "ether" or "link/ether"

Switches: Commands vary by vendor. Cisco uses show mac address-table. The output maps MAC addresses to physical ports.

ARP table: arp -a shows what MAC addresses your system has learned for local IP addresses.

Frequently Asked Questions About MAC Addresses

Was this page helpful?

😔
🤨
😃