MAC Addresses Explained: What They Are and Why Modern OSes Randomize Them

When you look at your network adapter’s properties, you see a MAC address — six pairs of hex digits like 5e:34:8b:01:c2:7f. It’s older than IP, more fundamental in some ways, and used to be the stable identifier of a device on a network. In 2026, that’s no longer quite true: privacy-driven MAC randomization has changed how the layer-2 identifier behaves.

This post explains what a MAC address is, what its parts mean, how it interacts with IP, and what MAC randomization changes for application code and network operations.

What a MAC Address Is

A MAC (Media Access Control) address is a 48-bit identifier for a network interface. It’s the layer 2 address — used by Ethernet, Wi-Fi, and other link-layer protocols to address frames on the local network segment.

Format: six groups of two hex digits, separated by colons (or dashes on Windows):

5e:34:8b:01:c2:7f

Other notations: 5E-34-8B-01-C2-7F, 5e34.8b01.c27f (Cisco), 5e348b01c27f (no separators).

Structure

The 48 bits are conceptually split:

• First 24 bits — OUI (Organizationally Unique Identifier). Assigned by IEEE to a vendor. Identifies who made the network adapter.
• Last 24 bits — vendor-assigned. Vendor’s serial number for this specific adapter.

So a Cisco adapter and an Apple adapter have different OUIs. Within Cisco, two adapters have different vendor-assigned halves.

A few special bits:

• Universally administered vs locally administered — A bit in the first octet. If set, the address is locally administered (potentially randomized). If clear, it’s the manufacturer-assigned (universally administered) address.
• Unicast vs multicast — The lowest bit of the first octet. If set, the address is multicast.

For typical hardware, the OUI tells you the vendor; tools like wireshark and OUI lookup sites translate prefixes.

What MAC Does

When a packet needs to go from your computer to the router (so it can travel to the internet), here’s what happens at layer 2:

1. Your computer wants to send to IP 203.0.113.5 (some internet server).
2. That’s not on your local network, so the packet goes to the default gateway.
3. ARP (or IPv6 Neighbor Discovery) resolves the gateway’s IP to a MAC address.
4. Your computer wraps the packet in an Ethernet frame addressed to the gateway’s MAC.
5. The router receives the frame, strips the Ethernet wrapper, and forwards the IP packet onward.

So MAC addresses are for local delivery. Once a packet crosses a router, the MAC addresses change at every hop. Only the IP addresses persist across the entire path.

MAC vs IP

A clarifying comparison:

	MAC	IP
Layer	2 (link)	3 (network)
Scope	Local network only	Global
Assigned by	Hardware vendor	DHCP / static / RIRs
Changes when	New hardware, randomization	Network change, DHCP renew
Used for	Frame delivery on local network	Packet routing across internet
Format	48 bits, 6 octets, hex	32 bits (IPv4) or 128 bits (IPv6)

Both identify endpoints, but at different layers. MAC tells you “which device on this network segment.” IP tells you “which host anywhere on the internet.”

MAC Address Resolution (ARP / NDP)

To send a frame to another device on the local network, you need its MAC address — but you usually start with its IP. The protocols:

ARP (Address Resolution Protocol — IPv4)

Broadcasts “who has IP 192.168.1.1?” Every host hears; the one with that IP responds with its MAC.

HOST A: ARP request: "Who has 192.168.1.1? Tell 192.168.1.42."
HOST B: ARP reply: "192.168.1.1 is at 5e:34:8b:01:c2:7f."

Cached for a few minutes (varies by OS).

NDP (Neighbor Discovery Protocol — IPv6)

Uses ICMPv6 multicast (specifically Neighbor Solicitation / Neighbor Advertisement). Same idea; better designed.

Either way, the local network has a way to map IP addresses to MAC addresses on demand.

MAC Randomization

Until ~2014, every device had one MAC address — the universally administered one assigned at the factory. That made tracking devices across networks easy: an attacker (or a Wi-Fi network operator) could observe a MAC and follow that device wherever it went.

Modern OSes now use randomized MAC addresses by default:

• iOS 14+: Random MAC per network (different MAC for home Wi-Fi vs coffee shop).
• Android 10+: Random MAC per network.
• macOS 14+: Configurable; random by default on Wi-Fi.
• Windows 11: Configurable; opt-in for random MAC.

The randomization happens at the network level (a stable random MAC for each Wi-Fi network) or at the connection level (a new random MAC each time, on some configurations).

Implications:

For users

Privacy improvement. A coffee shop can’t track you across visits by MAC.

For network operators

• MAC-based authentication (still used in some enterprise networks) becomes unreliable.
• MAC-based reservations in DHCP need to handle that the same device shows up with different MACs.
• Device counts based on unique MACs are inflated (each device on each network gets a different MAC).

For application developers

MAC addresses are essentially useless as long-term device identifiers. Never use MAC as a stable user/device identifier.

What MAC Is Not

A few common misconceptions:

“MAC address is unique per device”

Not anymore. With randomization, one device has many MAC addresses across networks and over time.

”MAC address is unforgeable”

Trivial to change. Every OS lets you set a custom MAC (sudo ifconfig en0 ether xx:xx:xx:xx:xx:xx on macOS; similar elsewhere).

”MAC address identifies the device on the internet”

No. MAC addresses don’t cross routers. The only MAC the server sees is the MAC of its own upstream router. The user’s actual MAC is not visible beyond their local network.

”MAC reveals user identity”

Only locally. From the public internet, you can’t see anyone’s MAC address.

Where MAC Still Matters

Despite randomization, MAC is still relevant in a few places:

Network access control

• 802.1X — Authenticates devices on a network. Doesn’t rely on MAC alone.
• MAC filtering — Allows or denies specific MACs (now weak due to randomization).
• Captive portals — Often use MAC for the authenticated session, even if it’s randomized.

Wake-on-LAN

Send a “magic packet” containing a target MAC; the target device powers on. Requires knowing the target’s MAC.

Network troubleshooting

ARP / NDP tables show which MACs are on each port. Helps diagnose “where is this device physically?”

Hardware identification

For internal IT inventory, the universally administered MAC (the factory-assigned one) is still a unique device ID. Just don’t expect it to be the only MAC the device uses.

ARP Spoofing

A classic local network attack: respond to ARP requests claiming you have a different MAC than you really do. If you can convince a victim that your MAC is the gateway’s MAC, all their traffic flows through you.

Mitigations:

• Static ARP entries on critical paths.
• Dynamic ARP Inspection on managed switches.
• Network segmentation to limit attack surface.
• HTTPS so that intercepted traffic can’t be read.

Application-Layer Implications

For application developers:

• Don’t store MAC addresses as user identifiers. They’re not stable.
• Don’t expect MAC to identify users of a public-facing API. You can’t see it anyway.
• For IoT and lower-level applications, MAC can be used as a device identifier when you control the device’s MAC behavior.

For network-level things like DHCP reservations, MAC remains the input — but you have to handle the randomization complexity in modern environments.

IPv6 and MAC

IPv6 originally specified that the host part of a SLAAC-assigned address was derived from the MAC (via modified EUI-64). This made addresses traceable to specific hardware.

Privacy extensions (RFC 4941, RFC 8981) generate random host identifiers instead. Modern OSes use these by default. So even with a stable MAC, your IPv6 host bits rotate.

TL;DR

• MAC address is the layer-2 identifier; 48 bits; six hex octets.
• First half is OUI (vendor); second half is vendor-assigned.
• MAC is for local network delivery — doesn’t cross routers.
• Modern OSes randomize MAC per network for privacy.
• MAC-based identification is unreliable in 2026.
• ARP (IPv4) / NDP (IPv6) maps IP to MAC on the local network.
• For applications, MAC is essentially invisible from the public internet.
• For network ops, randomization changes how MAC reservations and access control work.

MAC addresses sit underneath everything else in networking. Most developers will never directly manipulate one. Understanding what they do (and what they don’t anymore) clarifies a lot of “why doesn’t this device behave the way I expected” puzzles. For the upper layer that does cross networks, see everything you need to know about IP addresses; for the protocol that uses MAC to hand out IPs, DHCP explained.