#CS#Network#Hardware
MAC Address: Physical ID Card
IP addresses change like home addresses. MAC addresses are like DNA or Fingerprints. Burned into hardware.
May 5, 2025
Codemapo
IP addresses change like home addresses. MAC addresses are like DNA or Fingerprints. Burned into hardware.
Why does my server crash? OS's desperate struggle to manage limited memory. War against Fragmentation.
Two ways to escape a maze. Spread out wide (BFS) or dig deep (DFS)? Who finds the shortest path?
Fast by name. Partitioning around a Pivot. Why is it the standard library choice despite O(N²) worst case?
Establishing TCP connection is expensive. Reuse it for multiple requests.
When I first started learning about networks, the most confusing thing was: "Why are there two addresses?" There's an IP address, and then there's something called a MAC address. Both are addresses, but what's the difference?
I understood it like this: IP address is your home address, MAC address is your social security number. When you move, your home address changes. But your social security number stays the same for life. Network devices work the same way. Change networks, your IP changes. But the MAC address? That's burned in at the factory and stays forever.
Why it's needed, how it works, and why it sometimes causes problems. I'll walk through this, including a real network outage I debugged.
MAC (Media Access Control) Address is a 48-bit physical address assigned to a Network Interface Card (NIC). When a factory manufactures a network card or WiFi chip, they stamp each device with a unique number. In theory, no two MAC addresses in the world are the same.
The format looks like this:
00:1A:2B:3C:4D:5E
Six pairs of hexadecimal digits separated by colons (octets). 48 bits total. Sometimes you'll see dashes instead: 00-1A-2B-3C-4D-5E.
These 12 digits split into two parts:
00:1A:2B belongs to a specific company.Combined: OUI + UAA = globally unique identifier.
I think of it as a 'digital fingerprint'. Like human fingerprints, it's determined at birth (factory production) and can't be changed. Sure, you can fake it in software, but the number burned into the hardware never changes.
At first I thought, "We communicate with IP addresses, why do we need MAC addresses?" Like asking, "When sending a package, we just need the home address, why would we need a social security number?"
But studying the network layers, it clicked. IP addresses are Layer 3 (Network Layer), MAC addresses are Layer 2 (Data Link Layer). Different roles.
| Aspect | IP Address | MAC Address |
|---|---|---|
| Layer | Layer 3 (Network) | Layer 2 (Data Link) |
| Purpose | Inter-network routing | Intra-network delivery |
| Scope | Global internet | Local network (LAN) |
| Changeability | Changes with network | Fixed to hardware |
| Example | 192.168.0.10 | AA:BB:CC:DD:EE:FF |
Think of it like sending mail internationally:
Routers look at IP addresses to deliver packets to the destination network. But within the same network, switches look at MAC addresses to deliver to the exact device.
Now the question arises: "I want to send data to 192.168.0.5, but how do I know that device's MAC address?"
Enter ARP (Address Resolution Protocol). I think of it as a 'neighborhood broadcast'.
"Everyone on this network! Who has IP 192.168.0.5? Tell me your MAC address!"
Destination MAC: FF:FF:FF:FF:FF:FF (broadcast)
"That's me! My MAC address is AA:BB:CC:DD:EE:FF."
I can actually check the ARP table on my MacBook:
arp -a
Output:
? (192.168.0.1) at 00:11:22:33:44:55 on en0 ifscope [ethernet]
? (192.168.0.5) at aa:bb:cc:dd:ee:ff on en0 ifscope [ethernet]
? (192.168.0.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]
This table caches "IP → MAC" mappings. Broadcasting every time would congest the network, so once you learn the mapping, you store it temporarily.
On Windows:
arp -a
On Linux:
ip neigh show
That's the aha moment. IP is the destination address, MAC is the actual delivery address. The mail carrier finds "Seoul, Gangnam-gu" (IP), but the building manager looks for "Room 302, Kim Cheolsoo" (MAC).
Switches distribute traffic within a network. Unlike hubs, switches maintain a MAC address table.
When a switch receives a packet:
This reduces unnecessary traffic. Hubs send data to all ports, but switches send to the exact port.
MAC address table entries expire after some time (usually 5 minutes). Devices might have left the network.
I once experienced something weird at work. We couldn't connect to a specific server (192.168.1.100). Ping failed. But the server was alive.
Tracking down the issue, I checked the ARP table:
arp -a | grep 192.168.1.100
Output:
192.168.1.100 at 00:00:00:00:00:00 on en0
The MAC address was 00:00:00:00:00:00. That's an invalid value. The ARP cache was corrupted.
Solution:
# macOS/Linux
sudo arp -d 192.168.1.100
# Windows
arp -d 192.168.1.100
Delete the ARP entry, retry communication, and a fresh ARP Request goes out. Got the correct MAC address back. Problem solved.
Since then, whenever there's a network issue, I check the ARP table first. Layer 2 problems are often overlooked.
Ways to check your device's MAC address:
ifconfig en0 | grep ether
Output:
ether a4:83:e7:12:34:56
Or:
networksetup -getmacaddress en0
ip link show
Look for the link/ether line:
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff
Or:
cat /sys/class/net/eth0/address
ipconfig /all
The "Physical Address" field is your MAC address.
Or:
getmac /v
FF:FF:FF:FF:FF:FF is a special MAC address. Broadcast address. Used when sending to all devices on the same network.
ARP Request is a prime example. When asking "Who has IP 192.168.0.5?", you don't know who, so you ask everyone. Set destination MAC to FF:FF:FF:FF:FF:FF.
Another special address is 00:00:00:00:00:00. Means "no address". Usually appears when a device is booting or not configured.
MAC addresses are burned into hardware, but you can change them in software. Called MAC Spoofing.
# Check current MAC
ifconfig en0 | grep ether
# Interface down
sudo ifconfig en0 down
# Change MAC address
sudo ifconfig en0 ether 00:11:22:33:44:55
# Interface up
sudo ifconfig en0 up
sudo ip link set dev eth0 down
sudo ip link set dev eth0 address 00:11:22:33:44:55
sudo ip link set dev eth0 up
Possible via registry or device manager, but some drivers don't support it.
Why would you need this? A few legitimate use cases:
But it's also used maliciously:
Switch MAC address tables have limited size. If an attacker generates massive fake MAC addresses, filling the table, the switch falls back to hub mode—broadcasting to all ports.
This lets the attacker sniff all network traffic.
Defense methods:
I've never seen this attack in the wild, but learned that enabling port security on switches is a good practice.
Some routers offer MAC filtering. Whitelist approach—only specific MAC addresses can access the network.
Configuration example:
Allowed MAC addresses:
- AA:BB:CC:DD:EE:01
- AA:BB:CC:DD:EE:02
- AA:BB:CC:DD:EE:03
Is it effective security? Honestly, marginally. MAC spoofing is easy. An attacker can sniff allowed MAC addresses, then change their device's MAC to match.
Real security comes from WPA3 encryption + strong passwords.
But MAC filtering still has uses:
Modern smartphones use MAC address randomization for privacy protection.
The problem: Public WiFi tracks users by MAC address. Every time you visit a coffee shop, they know "this person came again". Tracking the same MAC across multiple locations reveals movement patterns.
The solution: iOS 14+, Android 10+ use different random MAC addresses for each WiFi network. Starbucks sees AA:BB:..., McDonald's sees CC:DD:....
iPhone settings:
Settings > Wi-Fi > (specific network) > Private Wi-Fi Address
When enabled, it uses a random MAC address for that network.
Downside: Problems with networks using MAC filtering. If your company WiFi uses a MAC whitelist, you need to disable randomization.
IPv6 has an interesting feature: auto-generating IPv6 addresses using MAC addresses. The EUI-64 method.
If your MAC address is AA:BB:CC:DD:EE:FF:
FF:FE in the middle: AA:BB:CC:FF:FE:DD:EE:FFA8:BB:CC:FF:FE:DD:EE:FFThis becomes the lower 64 bits of your IPv6 address:
2001:0db8:85a3:0000:a8bb:ccff:fedd:eeff
Advantage: Generate unique IP addresses without DHCP (SLAAC, Stateless Address Autoconfiguration).
Disadvantage: Privacy issue. Just by looking at the IPv6 address, you can reverse-engineer the MAC address. Know what device someone's using, which manufacturer.
That's why modern systems use Privacy Extensions (RFC 4941). Generate random lower 64 bits and change them periodically.
# Check IPv6 addresses on macOS
ifconfig en0 | grep inet6
Output:
inet6 fe80::1234:5678:9abc:def0%en0 prefixlen 64 secured scopeid 0x4
inet6 2001:db8::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
inet6 2001:db8::1234:5678:9abc:def0 prefixlen 64 autoconf temporary
The address marked temporary is the temporary address generated by privacy extensions.
Example of handling MAC addresses in actual programming:
import uuid
import subprocess
import re
def get_mac_address():
"""Get current device's MAC address"""
mac = uuid.getnode()
mac_str = ':'.join(('%012X' % mac)[i:i+2] for i in range(0, 12, 2))
return mac_str
def get_arp_table():
"""Parse ARP table"""
result = subprocess.run(['arp', '-a'], capture_output=True, text=True)
arp_entries = []
# Parse with regex
pattern = r'\(([0-9.]+)\) at ([0-9a-f:]+)'
for line in result.stdout.split('\n'):
match = re.search(pattern, line)
if match:
ip = match.group(1)
mac = match.group(2)
arp_entries.append({'ip': ip, 'mac': mac})
return arp_entries
def find_mac_by_ip(ip_address):
"""Find MAC address for specific IP"""
arp_table = get_arp_table()
for entry in arp_table:
if entry['ip'] == ip_address:
return entry['mac']
return None
# Usage
print(f"My MAC address: {get_mac_address()}")
print(f"\nARP Table:")
for entry in get_arp_table():
print(f"{entry['ip']:15} -> {entry['mac']}")
target_ip = '192.168.0.1'
target_mac = find_mac_by_ip(target_ip)
if target_mac:
print(f"\n{target_ip} MAC address: {target_mac}")
else:
print(f"\nCouldn't find MAC address for {target_ip}")
This code:
uuid.getnode() to get the current device's MAC address as a decimal number.arp -a command output to extract IP-MAC mappings.MAC addresses live at the bottom of the network stack. Not as visible as IP addresses. But actual data transmission ultimately happens via MAC addresses.
At first I was confused: "Why two addresses?" Now I get it. Separation of layers. IP finds the destination in the big picture, MAC finds the exact device in the local network. Like the postal system's hierarchy: country-city-street-building-apartment.
By looking at ARP tables directly, changing MAC addresses, and debugging network outages, I viscerally learned that MAC addresses are more than just numbers. Security issues (MAC spoofing, MAC flooding), privacy concerns (MAC tracking, randomization), and integration with IPv6 (EUI-64). Small topic, deep implications.
When network problems happen, don't just look at Layer 3 (IP)—check Layer 2 (MAC) too. arp -a, ip neigh, and the switch's MAC table. Often the answer lives at a lower layer.