Free MAC address lookup — find the vendor / OUI behind any MAC address.

Six independent classes of output per MAC lookup. The OUI-to-vendor mapping is the obvious one; the U/L and I/G bit decoding and the assignment-block-type detection are the differentiators most flat OUI lookup tools skip.

MAC addresses look like opaque hexadecimal strings, but the first 24 bits encode real metadata — who manufactured the network interface. Five places that's useful:

• Network inventory and asset discovery Run `arp -a` or pull DHCP leases, then resolve every MAC to its vendor. Suddenly you know which devices are Apple laptops, which are Cisco APs, which are Raspberry Pi (Pi Foundation OUI: `B8:27:EB`), and which are unidentified IoT. Asset inventory becomes a one-script job.
• Rogue-device detection An unexpected vendor on your network is a finding. A Liteon-OUI MAC on a network where you only buy Dell? Worth investigating. A randomized-MAC connecting to a switchport that should be wired? Same.
• Forensic incident investigation After an incident, capture logs include MAC addresses. Vendor resolution turns 'unknown device' into 'an iPhone, an HP printer, and an unknown vendor (probably a USB Ethernet adapter)'. Speeds investigation.
• Wireless survey analysis When auditing a venue's Wi-Fi or studying traffic patterns, MAC vendors show you what the population of devices is — phones vs laptops, Apple vs Android, IoT density. Modern OSes randomize SSID probes, but the OUI is still visible for associated devices.
• Vendor due diligence and security research A device pings home from a specific MAC. Resolving the OUI tells you the manufacturer — which often correlates with known firmware behaviors, known CVEs, and known traffic patterns. Useful for both attackers and defenders.

A MAC lookup is a parse plus a database query. We use the live IEEE OUI registry as the source of truth — the same database IEEE publishes for download daily.

• Stage 1 — Normalize input Strip separators, uppercase, validate hex. Accept colon-, dash-, dot-, and no-separator forms. Reject anything that isn't a valid 6-byte MAC.
• Stage 2 — Decode the structural bits Extract the U/L bit (locally administered if set) and I/G bit (multicast if set). These tell you immediately whether the MAC is even eligible for OUI lookup — locally administered MACs are not registered.
• Stage 3 — Try MA-L (24-bit OUI) lookup First 24 bits are the OUI for traditional allocations. Match against the IEEE MA-L registry. Most assignments are MA-L; this is the case for most consumer and enterprise networking gear.
• Stage 4 — Try MA-M (28-bit) and MA-S (36-bit) lookup If MA-L misses, try MA-M (first 28 bits) and MA-S (first 36 bits). IEEE introduced these smaller block sizes for smaller vendors. IoT devices often use MA-S because the vendor only needs 4096 unique MACs.
• Stage 5 — Detect randomization If U/L bit is set and no OUI matches, report as locally administered / randomized. Modern phones, laptops, and Windows 10+ Wi-Fi all randomize per network. Don't fake a vendor for these.
• Stage 6 — Return structured detail Vendor name, full registered address, registration block type, locally-administered flag, multicast flag, and the OUI itself. All from a single lookup against the live IEEE database.

Every MAC is a 48-bit value. The first 24 bits (traditionally) are the OUI assigned by IEEE; the last 24 bits are the vendor's own sequence. Five things to know about the structure:

• First 24 bits — OUI (Organizationally Unique Identifier) Assigned by IEEE to the manufacturer. Apple's main OUI is `00:1B:63` and they have dozens of others. Cisco has hundreds. Apple's iPhone WiFi modules and MacBook WiFi modules each have separate OUI blocks because they're physically different chips. Resolving the OUI gives you the manufacturer name as registered.
• Last 24 bits — Vendor-assigned The manufacturer assigns these. Often sequential at manufacture time, sometimes randomized for privacy or simply distributed across factory lines. Not meaningful without insider knowledge of the manufacturer's allocation scheme.
• U/L bit (bit 2 of first octet) 0 = universally administered (IEEE-assigned). 1 = locally administered (set by software, not registered). Most production devices are universally administered. Randomized MACs (modern OS privacy defaults) are locally administered.
• I/G bit (bit 1 of first octet) 0 = unicast (single individual address). 1 = multicast (group address). Multicast MACs are used for broadcasts (FF:FF:FF:FF:FF:FF), IPv6 neighbor discovery, mDNS, and similar protocols. Most addresses you see in logs are unicast.
• MA-L / MA-M / MA-S — three block sizes Traditional MA-L blocks are 24-bit OUI + 24-bit vendor space = 16.7M addresses per block. MA-M is 28-bit OUI + 20-bit vendor space = 1M addresses. MA-S is 36-bit OUI + 12-bit vendor space = 4096 addresses. Small vendors and IoT makers buy MA-S to save money — they only need a few thousand unique MACs.

Since iOS 14 (2020), Android 10, Windows 10, and macOS Catalina, all major operating systems randomize the MAC address shown to Wi-Fi networks by default. The locally-administered bit is set, the OUI doesn't match any real vendor, and the MAC changes per network — sometimes per connection. Five things this changes:

• OUI lookup returns 'locally administered' Privacy-randomized MACs have the U/L bit set. Resolving the OUI doesn't find a matching vendor — because there isn't one. The tool reports this as randomized rather than guessing.
• The original MAC is still visible to the manufacturer iPhones still know their real MAC; it's just hidden from the access point. Apple, Google, and Microsoft can correlate randomized MACs to real device identifiers through their own services.
• Network access controls have to adapt Pre-2020, MAC-based ACLs on guest networks worked. Now, every visitor's iPhone shows up with a different MAC per network — and per join attempt on some configurations. ACLs by MAC need to be replaced by 802.1X authentication, captive portals, or other identity-bound mechanisms.
• Forensic tracking gets harder Stalking-someone-via-Wi-Fi-MAC was a real privacy concern; randomization fixes it. The tradeoff: legitimate uses (network inventory, fingerprinting devices for billing or analytics) also have to work harder.
• Identifying the OS from a randomized MAC Apple's randomized MACs start with one of several specific bytes. Google's randomized MACs have a different pattern. Windows' have another. With enough samples, you can sometimes infer the OS family of a randomized device — but not the specific device.

Every resolved field — vendor, OUI, block type, U/L and I/G bits, registration address — is available as JSON. Useful for network-inventory automation, NAC integration, IoT-discovery tooling, and forensic-investigation scripts.

curl 'https://api.domainscan.in/v1/security/mac-info?mac=AC:DE:48:00:11:22'

const res = await fetch(
  'https://api.domainscan.in/v1/security/mac-info?mac=AC:DE:48:00:11:22'
);
const mac = await res.json();

console.log(mac.vendor);             // 'Apple, Inc.'
console.log(mac.oui);                // 'AC:DE:48'
console.log(mac.blockType);          // 'MA-L'
console.log(mac.locallyAdministered); // false
console.log(mac.multicast);          // false

// Bulk inventory resolution
const macs = ['AC:DE:48:00:11:22', 'B8:27:EB:AA:BB:CC', '02:00:00:11:22:33'];
const results = await Promise.all(
  macs.map(m => fetch(`/v1/security/mac-info?mac=${m}`).then(r => r.json()))
);
results.forEach((r, i) => console.log(macs[i], '→', r.vendor || 'randomized'));

{
  "mac":               "AC:DE:48:00:11:22",
  "normalized":        "AC-DE-48-00-11-22",
  "oui":               "AC:DE:48",
  "vendor":            "Apple, Inc.",
  "address":           "One Apple Park Way, Cupertino, CA 95014, US",
  "blockType":         "MA-L",
  "locallyAdministered": false,
  "multicast":         false,
  "randomized":        false,
  "registered":        "1995-06-12"
}

Six patterns we see most often:

• What is a MAC address? A Media Access Control address is a 48-bit identifier assigned to every network interface — Ethernet, Wi-Fi, Bluetooth. Written as six hexadecimal pairs (`AC:DE:48:00:11:22`). The first half identifies the manufacturer; the second half is the manufacturer's own serial. Used to identify devices at Layer 2 of the network stack — switches and Wi-Fi APs route by MAC.
• What is an OUI? Organizationally Unique Identifier — the first 24 bits of a MAC address, assigned by IEEE to a specific manufacturer. Apple has dozens (`00:1B:63`, `AC:DE:48`, and many more). Cisco has hundreds. Resolving the OUI tells you who manufactured the network interface — useful for inventory, security investigation, and forensics.
• How do I find the vendor of a MAC address? Look up the first 24 bits (the OUI) in IEEE's published OUI registry. This tool does that automatically against the live IEEE database. If the OUI doesn't match (no vendor returned), the MAC is either privacy-randomized (modern OS default) or locally administered (set by software rather than IEEE-assigned).
• Why does my phone show a different MAC on every Wi-Fi network? Privacy randomization. Since iOS 14 and Android 10, modern phones use a different MAC per network (and sometimes per connection). The randomized MAC has the locally-administered bit set and doesn't resolve to a real vendor. This is intentional — it prevents Wi-Fi APs from tracking your phone across networks.
• Can a MAC address be changed? Yes — at the software level, the OS can set any MAC it wants for a given interface (Linux: `ip link set dev eth0 address ...`, macOS: `ifconfig en0 ether ...`, Windows: through driver properties). At the hardware level, the originally-burned MAC is in flash and persists across reboots unless explicitly overridden. Locally-administered MACs (U/L bit set) are common; the OUI lookup will not match a real vendor.
• What does it mean if a MAC is 'locally administered'? The U/L bit (bit 2 of the first octet) is set, indicating the MAC was not assigned by IEEE — it's either privacy-randomized by the OS or manually set by software. Common in modern Wi-Fi (iOS, Android, Windows all randomize by default) and in virtualization (VM-generated MACs). Don't expect OUI lookup to match a real vendor.
• What's the difference between MA-L, MA-M, and MA-S? Three IEEE assignment-block sizes. MA-L (24-bit OUI) gives the manufacturer 16.7M unique MACs per block — the traditional default, mostly large vendors. MA-M (28-bit OUI) gives 1M per block. MA-S (36-bit OUI) gives 4096 per block — popular with IoT vendors who don't need many unique IDs. This tool resolves all three.
• What does it mean if a MAC is multicast? The I/G bit (bit 1 of the first octet) is set. The address is a group/multicast address rather than a single individual. Used for broadcasts (`FF:FF:FF:FF:FF:FF`), IPv6 neighbor discovery, mDNS, and various Layer-2 group communications. Most addresses in normal logs are unicast; a multicast MAC where you expect unicast is worth investigating.