MAC Addresses: Structure, ARP, Spoofing, and Security Implications

A MAC (Media Access Control) address is a 48-bit identifier assigned to a network interface for use in local network communication at OSI Layer 2. It is expressed as six hexadecimal octets separated by colons or hyphens, such as 00:1A:2B:3C:4D:5E. The MAC address is divided into two halves. The first three octets (24 bits) constitute the Organizationally Unique Identifier (OUI), which is assigned by the IEEE to the manufacturer of the network interface. The last three octets (24 bits) are the extension identifier, assigned by the manufacturer to uniquely identify each individual interface. This structure means the OUI can be used to identify the device manufacturer from a MAC address alone.

Two flag bits in the first octet carry important meaning. Bit 0 (the least significant bit of the first octet) is the Individual/Group bit: when set to 0, the address is a unicast address targeting a single interface; when set to 1, it is a multicast or broadcast address targeting a group. The all-ones MAC address FF:FF:FF:FF:FF:FF is the broadcast address, delivered to all devices on the local segment. Bit 1 of the first octet is the Universal/Local bit: when set to 0, the address is a globally administered (manufacturer-assigned) address; when set to 1, the address is locally administered, meaning it was assigned by software rather than the manufacturer. This bit is set to 1 in software-assigned and randomized MAC addresses.

• First three octets: OUI (Organizationally Unique Identifier) assigned by IEEE to the manufacturer
• Last three octets: NIC-specific extension assigned by the manufacturer to each interface
• Bit 0 of first octet: 0 = unicast, 1 = multicast or broadcast address
• Bit 1 of first octet: 0 = globally administered (manufacturer), 1 = locally administered (software)
• Broadcast address: FF:FF:FF:FF:FF:FF — delivered to all devices on the local network segment

Address Resolution Protocol (ARP) is the mechanism that bridges IP addressing (Layer 3) to MAC addressing (Layer 2) within a local network segment. When a host needs to send an IP packet to another host on the same subnet, it needs to know the destination's MAC address to construct the Layer 2 Ethernet frame. If the destination's MAC address is not in the host's ARP cache, the host broadcasts an ARP request frame to all devices on the segment: "Who has IP address 192.168.1.1? Tell 192.168.1.10." Every device on the segment receives this broadcast, but only the host with the matching IP address sends a unicast ARP reply containing its MAC address.

The sending host stores this IP-to-MAC mapping in its ARP table (also called the ARP cache) for a short duration — typically a few minutes on most operating systems. Subsequent packets to the same IP address use the cached MAC address without another ARP broadcast. When a host receives any ARP packet containing an IP-to-MAC mapping (whether an ARP request or reply), it updates its ARP cache with that mapping, even if it did not request the information. This behavior, while efficient for normal operations, is the fundamental design characteristic that makes ARP spoofing attacks possible. View the ARP table on Linux with arp -n and on Windows with arp -a.

• ARP request: broadcast to all devices — "Who has IP x.x.x.x? Tell IP y.y.y.y"
• ARP reply: unicast from the target — "IP x.x.x.x is at MAC AA:BB:CC:DD:EE:FF"
• ARP cache: stored IP-to-MAC mappings that expire after a few minutes
• Unsolicited ARP updates: hosts accept ARP replies even without sending a request — enables spoofing
• View ARP table: arp -n on Linux, arp -a on Windows, arp -a on macOS

ARP has no authentication mechanism — any host can send an ARP reply claiming to own any IP address, and other hosts will update their ARP caches with the provided mapping. ARP spoofing (also called ARP cache poisoning) exploits this lack of authentication to insert an attacker's MAC address into the ARP caches of target hosts. In a typical man-in-the-middle attack, the attacker sends gratuitous (unsolicited) ARP replies to both the victim host and the default gateway, claiming that the gateway's IP maps to the attacker's MAC and that the victim's IP also maps to the attacker's MAC. Both devices update their ARP caches, and subsequent traffic between them is sent to the attacker's MAC address instead of the legitimate destination.

The attacker, receiving traffic intended for both the victim and the gateway, can forward traffic between them while invisibly intercepting and reading or modifying the content — a classic man-in-the-middle position. In cleartext protocols, all transmitted data (credentials, session tokens, form submissions) is directly readable. In HTTPS connections, the attacker must perform additional attacks such as SSL stripping — downgrading HTTPS to HTTP to read cleartext — which is why HSTS preloading is an important defense against ARP-spoofing-based attacks. Tools including arpspoof (from the dsniff suite) and ettercap automate ARP spoofing and traffic interception on local networks.

• ARP has no authentication — any host can send an ARP reply for any IP address
• Gratuitous ARP: unsolicited ARP reply sent to inject a false IP-to-MAC mapping into target caches
• Man-in-the-middle: attacker poisons both victim and gateway, intercepting all traffic between them
• ARP spoofing enables: credential theft, session hijacking, SSL stripping, and traffic modification
• Detection: monitor for duplicate IP addresses in ARP tables or use ARP monitoring tools like arpwatch

IEEE 802.1X port-based Network Access Control provides a robust defense against unauthorized devices connecting to a switched network. When 802.1X is enabled on a switch port, the switch places the port in an unauthorized state, blocking all traffic except EAP (Extensible Authentication Protocol) authentication messages. The connecting device (supplicant) must authenticate to a RADIUS server — using credentials, certificates, or device identity — before the switch permits normal traffic on the port. This prevents an attacker from simply plugging into an available network jack or wall port and gaining network access, which is a common physical access attack vector in office buildings and data centers.

Dynamic ARP Inspection (DAI) is a switch security feature that defends against ARP spoofing at the network infrastructure level. DAI relies on the DHCP snooping binding table, which records the IP address assigned to each device and the switch port and MAC address it was assigned on. When an ARP packet is received, DAI validates the sender IP and MAC address against the DHCP snooping binding table. ARP packets that claim an IP-to-MAC mapping inconsistent with the binding table are dropped before they can poison the ARP caches of other devices. DAI requires DHCP snooping to be enabled and the binding table to be populated, making it most effective in environments using DHCP for address assignment.

• 802.1X: port-based NAC requiring EAP authentication to a RADIUS server before network access
• 802.1X prevents: unauthorized device connections to switched network ports
• Dynamic ARP Inspection (DAI): validates ARP packets against DHCP snooping binding table
• DAI prevents: ARP spoofing by dropping ARP packets with inconsistent IP-to-MAC mappings
• Port security: managed switch feature that limits MAC addresses per port or locks to specific MACs

Software-based MAC address modification is straightforward on all major operating systems. On Linux, the ip link set dev eth0 address XX:XX:XX:XX:XX:XX command changes the MAC address of an interface immediately. The macchanger tool provides a more convenient interface with options to set a random MAC, use a specific vendor's OUI, or assign a fully random address. On Windows, many network adapters support MAC address change through the Device Manager network adapter advanced properties by setting the "Network Address" or "Locally Administered Address" field. Changes take effect after disabling and re-enabling the adapter.

Modern operating systems have introduced automatic MAC address randomization to improve privacy, preventing network operators and advertisers from tracking devices across different Wi-Fi networks using the MAC address as a persistent identifier. iOS 14 and later, macOS 12 (Monterey) and later, Android 10 and later, and Windows 10 with recent updates all support per-network random MAC addresses by default for Wi-Fi connections. The randomized address uses the locally administered bit (bit 1 of the first octet set to 1) to distinguish it from manufacturer-assigned addresses. Organizations relying on MAC-based network access control should evaluate how MAC randomization affects their 802.1X and DHCP policies.

• Linux: ip link set dev eth0 address AA:BB:CC:DD:EE:FF — changes MAC immediately
• macchanger: macchanger -r eth0 assigns a fully random MAC address
• iOS 14+, Android 10+, Windows 10+: per-network MAC randomization enabled by default for Wi-Fi
• Randomized MACs use locally administered bit (bit 1 set to 1) to distinguish from manufacturer MACs
• MAC randomization affects MAC-based access control and DHCP reservation policies

MAC address data is extensively recorded in network infrastructure logs, making it a valuable source of evidence in security investigations. DHCP server logs record the MAC address, assigned IP address, lease timestamp, and client hostname for every DHCP lease. When investigating an incident involving a specific IP address, DHCP logs allow you to identify which device held that IP at the time of the incident — essential when IP addresses are dynamically assigned. DHCP logs are a first-stop resource for incident responders correlating network activity to specific physical devices.

Wireless access point logs record MAC address, IP address, association time, disassociation time, signal strength, and SSID for every device connection. This data helps investigate unauthorized wireless access, trace device location within a facility (by comparing signal strength across multiple access points), and identify which access point a specific device was connected to during an incident. The OUI portion of a MAC address can be looked up using the IEEE OUI database or tools like Wireshark's manufacturer lookup to identify the device manufacturer — useful when a device's hostname is unavailable or obscured. MAC address randomization increasingly complicates this forensic use of OUI lookup.

• DHCP logs: MAC address, IP assignment, timestamp, hostname — first stop for incident IP-to-device correlation
• Wireless AP logs: MAC, IP, association time, signal strength per access point for location tracing
• Managed switch MAC tables: which physical port a device's MAC was seen on at any given time
• OUI lookup: identify device manufacturer from the first three octets of the MAC address
• MAC randomization complicates forensics — note whether the MAC has the locally administered bit set