MAC Address: Physical ID Card

Prologue: Two Addresses, One Confusion

When I first started learning about networks, the most confusing thing was: "Why are there two addresses?" There's an IP address, and then there's something called a MAC address. Both are addresses, but what's the difference?

I understood it like this: IP address is your home address, MAC address is your social security number. When you move, your home address changes. But your social security number stays the same for life. Network devices work the same way. Change networks, your IP changes. But the MAC address? That's burned in at the factory and stays forever.

Why it's needed, how it works, and why it sometimes causes problems. I'll walk through this, including a real network outage I debugged.

The Concept That Clicked: MAC is Hardware ID

MAC (Media Access Control) Address is a 48-bit physical address assigned to a Network Interface Card (NIC). When a factory manufactures a network card or WiFi chip, they stamp each device with a unique number. In theory, no two MAC addresses in the world are the same.

The format looks like this:

00:1A:2B:3C:4D:5E

Six pairs of hexadecimal digits separated by colons (octets). 48 bits total. Sometimes you'll see dashes instead: 00-1A-2B-3C-4D-5E.

These 12 digits split into two parts:

• First 6 digits (OUI, Organizationally Unique Identifier): Manufacturer code. Assigned by IEEE to each manufacturer. For example, 00:1A:2B belongs to a specific company.
• Last 6 digits (UAA, Universally Administered Address): Serial number assigned by the manufacturer. Unique within that manufacturer.

Combined: OUI + UAA = globally unique identifier.

I think of it as a 'digital fingerprint'. Like human fingerprints, it's determined at birth (factory production) and can't be changed. Sure, you can fake it in software, but the number burned into the hardware never changes.

MAC vs IP: When The Layer Difference Hit Me

At first I thought, "We communicate with IP addresses, why do we need MAC addresses?" Like asking, "When sending a package, we just need the home address, why would we need a social security number?"

But studying the network layers, it clicked. IP addresses are Layer 3 (Network Layer), MAC addresses are Layer 2 (Data Link Layer). Different roles.

Aspect	IP Address	MAC Address
Layer	Layer 3 (Network)	Layer 2 (Data Link)
Purpose	Inter-network routing	Intra-network delivery
Scope	Global internet	Local network (LAN)
Changeability	Changes with network	Fixed to hardware
Example	192.168.0.10	AA:BB:CC:DD:EE:FF

Think of it like sending mail internationally:

• IP address: "South Korea, Seoul, Gangnam-gu, Teheran-ro 123". Mail carriers use this to find the country and city.
• MAC address: "Floor 3, Room 302, Kim Cheolsoo". Building staff use this to find the exact person.

Routers look at IP addresses to deliver packets to the destination network. But within the same network, switches look at MAC addresses to deliver to the exact device.

ARP: The Magic That Maps IP to MAC

Now the question arises: "I want to send data to 192.168.0.5, but how do I know that device's MAC address?"

Enter ARP (Address Resolution Protocol). I think of it as a 'neighborhood broadcast'.

How ARP Works

1. My computer (192.168.0.10) wants to talk to 192.168.0.5.
2. Check the ARP table: "Do I know this IP's MAC address?"
3. If not, broadcast an ARP Request:

   "Everyone on this network! Who has IP 192.168.0.5? Tell me your MAC address!"
   Destination MAC: FF:FF:FF:FF:FF:FF (broadcast)
   

4. The device with that IP responds with an ARP Reply:

   "That's me! My MAC address is AA:BB:CC:DD:EE:FF."
   

5. My computer saves this info in the ARP table.
6. Now when sending data, it goes directly to that MAC address.

I can actually check the ARP table on my MacBook:

arp -a

Output:

? (192.168.0.1) at 00:11:22:33:44:55 on en0 ifscope [ethernet]
? (192.168.0.5) at aa:bb:cc:dd:ee:ff on en0 ifscope [ethernet]
? (192.168.0.255) at ff:ff:ff:ff:ff:ff on en0 ifscope [ethernet]

This table caches "IP → MAC" mappings. Broadcasting every time would congest the network, so once you learn the mapping, you store it temporarily.

On Windows:

arp -a

On Linux:

ip neigh show

That's the aha moment. IP is the destination address, MAC is the actual delivery address. The mail carrier finds "Seoul, Gangnam-gu" (IP), but the building manager looks for "Room 302, Kim Cheolsoo" (MAC).

Switches and MAC Address Tables

Switches distribute traffic within a network. Unlike hubs, switches maintain a MAC address table.

When a switch receives a packet:

1. It looks at the source MAC address: "This MAC is connected to port 3," and records it in the table.
2. It looks at the destination MAC address and checks the table.
3. If that MAC is on port 5, it only sends the packet to port 5.

This reduces unnecessary traffic. Hubs send data to all ports, but switches send to the exact port.

MAC address table entries expire after some time (usually 5 minutes). Devices might have left the network.

A Network Outage I Debugged: ARP Cache Corruption

I once experienced something weird at work. We couldn't connect to a specific server (192.168.1.100). Ping failed. But the server was alive.

Tracking down the issue, I checked the ARP table:

arp -a | grep 192.168.1.100

Output:

192.168.1.100 at 00:00:00:00:00:00 on en0

The MAC address was 00:00:00:00:00:00. That's an invalid value. The ARP cache was corrupted.

Solution:

# macOS/Linux
sudo arp -d 192.168.1.100

# Windows
arp -d 192.168.1.100

Delete the ARP entry, retry communication, and a fresh ARP Request goes out. Got the correct MAC address back. Problem solved.

Since then, whenever there's a network issue, I check the ARP table first. Layer 2 problems are often overlooked.

How To Find Your MAC Address

Ways to check your device's MAC address:

macOS:

ifconfig en0 | grep ether

Output:

ether a4:83:e7:12:34:56

Or:

networksetup -getmacaddress en0

Linux:

ip link show

Look for the link/ether line:

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 1000
    link/ether 52:54:00:12:34:56 brd ff:ff:ff:ff:ff:ff

Or:

cat /sys/class/net/eth0/address

Windows:

ipconfig /all

The "Physical Address" field is your MAC address.

Or:

getmac /v

Broadcast MAC Address

FF:FF:FF:FF:FF:FF is a special MAC address. Broadcast address. Used when sending to all devices on the same network.

ARP Request is a prime example. When asking "Who has IP 192.168.0.5?", you don't know who, so you ask everyone. Set destination MAC to FF:FF:FF:FF:FF:FF.

Another special address is 00:00:00:00:00:00. Means "no address". Usually appears when a device is booting or not configured.

MAC Spoofing: Address Forgery

MAC addresses are burned into hardware, but you can change them in software. Called MAC Spoofing.

Changing MAC address on macOS:

# Check current MAC
ifconfig en0 | grep ether

# Interface down
sudo ifconfig en0 down

# Change MAC address
sudo ifconfig en0 ether 00:11:22:33:44:55

# Interface up
sudo ifconfig en0 up

Linux:

sudo ip link set dev eth0 down
sudo ip link set dev eth0 address 00:11:22:33:44:55
sudo ip link set dev eth0 up

Windows:

Possible via registry or device manager, but some drivers don't support it.

Why would you need this? A few legitimate use cases:

1. Testing: Testing systems that only allow specific MAC addresses
2. Privacy: Avoiding tracking on public WiFi
3. Network troubleshooting: Changing conflicting MAC addresses

But it's also used maliciously:

• Bypassing MAC filtering: Impersonating an allowed MAC address
• Man-in-the-Middle attacks: Impersonating another device to intercept traffic

MAC Flooding Attack

Switch MAC address tables have limited size. If an attacker generates massive fake MAC addresses, filling the table, the switch falls back to hub mode—broadcasting to all ports.

This lets the attacker sniff all network traffic.

Defense methods:

• Port Security: Limit MAC addresses per port
• DHCP Snooping: Block abnormal DHCP requests
• Dynamic ARP Inspection: Detect ARP spoofing

I've never seen this attack in the wild, but learned that enabling port security on switches is a good practice.

MAC Filtering in WiFi

Some routers offer MAC filtering. Whitelist approach—only specific MAC addresses can access the network.

Configuration example:

Allowed MAC addresses:
- AA:BB:CC:DD:EE:01
- AA:BB:CC:DD:EE:02
- AA:BB:CC:DD:EE:03

Is it effective security? Honestly, marginally. MAC spoofing is easy. An attacker can sniff allowed MAC addresses, then change their device's MAC to match.

Real security comes from WPA3 encryption + strong passwords.

But MAC filtering still has uses:

• Controlling kids' devices at home
• Managing IoT devices (only registered devices connect)
• Additional security layer (defense in depth)

MAC Address Randomization on Mobile Devices

Modern smartphones use MAC address randomization for privacy protection.

The problem: Public WiFi tracks users by MAC address. Every time you visit a coffee shop, they know "this person came again". Tracking the same MAC across multiple locations reveals movement patterns.

The solution: iOS 14+, Android 10+ use different random MAC addresses for each WiFi network. Starbucks sees AA:BB:..., McDonald's sees CC:DD:....

iPhone settings:

Settings > Wi-Fi > (specific network) > Private Wi-Fi Address

When enabled, it uses a random MAC address for that network.

Downside: Problems with networks using MAC filtering. If your company WiFi uses a MAC whitelist, you need to disable randomization.

IPv6 and EUI-64

IPv6 has an interesting feature: auto-generating IPv6 addresses using MAC addresses. The EUI-64 method.

If your MAC address is AA:BB:CC:DD:EE:FF:

1. Insert FF:FE in the middle: AA:BB:CC:FF:FE:DD:EE:FF
2. Flip the 7th bit (Universal/Local bit)
3. Result: A8:BB:CC:FF:FE:DD:EE:FF

This becomes the lower 64 bits of your IPv6 address:

2001:0db8:85a3:0000:a8bb:ccff:fedd:eeff

Advantage: Generate unique IP addresses without DHCP (SLAAC, Stateless Address Autoconfiguration).

Disadvantage: Privacy issue. Just by looking at the IPv6 address, you can reverse-engineer the MAC address. Know what device someone's using, which manufacturer.

That's why modern systems use Privacy Extensions (RFC 4941). Generate random lower 64 bits and change them periodically.

# Check IPv6 addresses on macOS
ifconfig en0 | grep inet6

Output:

inet6 fe80::1234:5678:9abc:def0%en0 prefixlen 64 secured scopeid 0x4
inet6 2001:db8::a8bb:ccff:fedd:eeff prefixlen 64 autoconf
inet6 2001:db8::1234:5678:9abc:def0 prefixlen 64 autoconf temporary

The address marked temporary is the temporary address generated by privacy extensions.

Code Example: Getting MAC Address with Python

Example of handling MAC addresses in actual programming:

import uuid
import subprocess
import re

def get_mac_address():
    """Get current device's MAC address"""
    mac = uuid.getnode()
    mac_str = ':'.join(('%012X' % mac)[i:i+2] for i in range(0, 12, 2))
    return mac_str

def get_arp_table():
    """Parse ARP table"""
    result = subprocess.run(['arp', '-a'], capture_output=True, text=True)
    arp_entries = []

    # Parse with regex
    pattern = r'\(([0-9.]+)\) at ([0-9a-f:]+)'

    for line in result.stdout.split('\n'):
        match = re.search(pattern, line)
        if match:
            ip = match.group(1)
            mac = match.group(2)
            arp_entries.append({'ip': ip, 'mac': mac})

    return arp_entries

def find_mac_by_ip(ip_address):
    """Find MAC address for specific IP"""
    arp_table = get_arp_table()
    for entry in arp_table:
        if entry['ip'] == ip_address:
            return entry['mac']
    return None

# Usage
print(f"My MAC address: {get_mac_address()}")
print(f"\nARP Table:")
for entry in get_arp_table():
    print(f"{entry['ip']:15} -> {entry['mac']}")

target_ip = '192.168.0.1'
target_mac = find_mac_by_ip(target_ip)
if target_mac:
    print(f"\n{target_ip} MAC address: {target_mac}")
else:
    print(f"\nCouldn't find MAC address for {target_ip}")

This code:

1. Uses uuid.getnode() to get the current device's MAC address as a decimal number.
2. Converts to hexadecimal and formats with colons.
3. Parses arp -a command output to extract IP-MAC mappings.

Wrapping Up: Small But Critical

MAC addresses live at the bottom of the network stack. Not as visible as IP addresses. But actual data transmission ultimately happens via MAC addresses.

At first I was confused: "Why two addresses?" Now I get it. Separation of layers. IP finds the destination in the big picture, MAC finds the exact device in the local network. Like the postal system's hierarchy: country-city-street-building-apartment.

By looking at ARP tables directly, changing MAC addresses, and debugging network outages, I viscerally learned that MAC addresses are more than just numbers. Security issues (MAC spoofing, MAC flooding), privacy concerns (MAC tracking, randomization), and integration with IPv6 (EUI-64). Small topic, deep implications.

When network problems happen, don't just look at Layer 3 (IP)—check Layer 2 (MAC) too. arp -a, ip neigh, and the switch's MAC table. Often the answer lives at a lower layer.