ZeroTrace OSINT
MAC Vendor Lookup
OUI / vendor identification, IEEE block size, and locally-administered / multicast bit decoding.
A MAC address has a vendor encoded in its first three bytes — the Organisationally Unique Identifier, or OUI. This tool maps any MAC back to its registered vendor, plus a few extra bits that the IEEE registration encodes.
What you get
For any MAC address (any common format — colon, dash, or dot separated):
| Field | What it tells you |
|---|---|
| OUI prefix | The first three bytes (00:1A:2B) |
| Vendor name | The organisation registered with the IEEE for that OUI |
| Vendor address | Country and address registered with the IEEE |
| Block type | MA-L (large, 24-bit OUI), MA-M (medium, 28-bit), MA-S (small, 36-bit) — tells you how many addresses the vendor's block contains |
| Locally administered bit | Set when the MAC is not manufacturer-assigned (common for VMs, containers, randomised Wi-Fi MACs) |
| Multicast bit | Set when the MAC is a group / broadcast address rather than a unicast address |
When to use it
- Identifying device vendors from packet captures. A pcap full of MAC addresses tells you what kinds of devices were on the network. A pile of Apple OUIs suggests a meeting full of MacBooks; a pile of Hangzhou Hikvision OUIs suggests a building full of cameras.
- Spotting rogue devices. A device with a vendor that does not match the rest of your fleet is a candidate for further investigation.
- Distinguishing real from randomised. Modern Wi-Fi devices use MAC randomisation by default. The locally-administered bit is the most reliable signal that a MAC is randomised rather than burned-in.
- Triage of network logs. Is the MAC in your DHCP log a real device or a virtual interface?
The locally administered bit
Most MAC addresses are globally unique, assigned by the IEEE to the manufacturer. The second-least-significant bit of the first byte distinguishes:
- Universal (bit clear) — manufacturer-assigned, looks up in the OUI database.
- Locally administered (bit set) — assigned by software, will not look up against the OUI database. Typical sources: VM virtual NICs, container interfaces, smartphone Wi-Fi randomisation.
The tool surfaces this with a clear "locally administered" or "universal" chip on the result.
A MAC that does not resolve to any vendor is almost always locally administered, not "vendor unknown." The lookup-failure case is interesting in its own right.
The multicast bit
The least-significant bit of the first byte distinguishes:
- Unicast (bit clear) — addresses a single device. The normal case.
- Multicast (bit set) — addresses a group of devices. Includes the broadcast address (
ff:ff:ff:ff:ff:ff).
Useful for filtering noise out of pcap analysis.
Bulk MAC lookup
Bulk paste accepts a list of MAC addresses and returns vendor / block-type / bits for each in an aggregate table. Drop a pcap's MAC column in and get a vendor distribution.
Offline mode
The tool ships with a snapshot of the IEEE OUI registry, so it works fully offline. The snapshot is updated with each application release; for the freshest data, use the latest application version.
Pivots
MAC addresses do not pivot to other network tools — they are a separate identifier space from IPs and domains. The vendor name does not pivot either; it is descriptive context.
Sources
- The IEEE OUI registry (bundled snapshot).
- The Wireshark vendor database (bundled fallback for sub-allocated blocks the IEEE registry does not name).
Both sources are local to the application — no network calls are required for this tool.