Skip to main content
Explainer · networking

What is a MAC address? (The hardware address, in plain English)

Every network adapter you own — Wi-Fi, Ethernet, Bluetooth — carries a 48-bit hardware address called a MAC address. It is what actually moves data around your local network, it reveals who made the chip inside your device, and — despite a lot of myths — it never follows you across the internet. Here is what it is, how to read it, and why your phone now hides it.

The one-sentence definition

A MAC address — short for Media Access Control address — is a 48-bit hardware identifier assigned to a network interface so that devices on the same local network can address each other directly. It operates at layer 2 of the networking stack (the data-link layer), the layer responsible for moving raw frames from one device to the next physical hop. Every Wi-Fi radio, Ethernet port, and Bluetooth chip has its own MAC address, usually burned into the adapter at the factory — which is why it is also called the physical address or the hardware address.

The format: six hex octets

A MAC address is 48 bits, written as six pairs of hexadecimal digits. You will most often see it with colons between the pairs, like 3C:22:FB:4A:9D:1E, though Windows tends to use hyphens (3C-22-FB-4A-9D-1E) and some Cisco gear uses three dotted blocks (3c22.fb4a.9d1e). All three describe the exact same 48-bit value — an address space of 248, roughly 281 trillion possibilities. That value splits cleanly into two 24-bit halves, and the halves mean very different things.

The first 24 bits: the manufacturer OUI

The first three octets are the Organizationally Unique Identifier, or OUI. The IEEE assigns OUI blocks to hardware makers, so the first half of a MAC address effectively says who built the network chipset. An address beginning with 3C:22:FB, for example, resolves to a specific registered vendor. If you have a MAC address in hand and want to know what made it, run it through the MAC address (OUI) lookup tool — it reads those first three octets and returns the registered manufacturer. That is often enough to identify a mystery entry in your router's device list — an Apple product, a Raspberry Pi, an Amazon Echo, a smart plug — without any other clue.

The second 24 bits: the device-specific half

The manufacturer owns the remaining 24 bits and assigns them to individual adapters coming off the line, so in principle OUI plus device-specific half makes every burned-in MAC globally unique. In practice uniqueness is not guaranteed forever — virtual machines generate their own MACs and phones invent random ones — so a MAC is best thought of as unique on your network rather than as a permanent worldwide serial number.

MAC address vs. IP address

This is the distinction that trips people up most. A MAC address and an IP address both identify a device, but they live at different layers and have completely different scope.

The single most important consequence: your MAC address does not travel across the internet. When a packet leaves your machine, it is wrapped in a frame addressed to the MAC of your router. Your router strips that frame off, reads the IP, and re-wraps the packet in a brand-new frame addressed to the MAC of the next router along the path — and this happens at every single hop. The IP addresses inside can stay the same end to end, but the MAC addresses are torn off and rewritten at each router, so by the time your traffic reaches a website not a byte of your device's MAC remains. That is why the MAC is absent from the list of things a website can see about you, and why the worry that “my MAC address is tracking me across the web” is simply not how the protocols work.

How the MAC address is actually used on a LAN

On your local network, though, the MAC address does the real work of delivery, through two mechanisms.

Switching

An Ethernet switch — the box your wired devices plug into, and the switching logic inside every Wi-Fi access point — makes its forwarding decisions purely on MAC addresses. It learns which MAC lives on which physical port by watching the source address of arriving frames, then forwards each frame only out the port where the destination MAC lives. It never looks at IP addresses; it operates entirely at layer 2.

ARP: turning an IP into a MAC

When your computer wants to send something to another device on the same network, it knows the destination's IP address but needs its MAC address to build the frame. It bridges that gap with the Address Resolution Protocol (ARP): your device broadcasts a question to the whole segment — “who has IP 192.168.1.20?” — and the device that owns that IP answers back with its MAC address, which your machine then caches. Whether you are talking to another laptop or to your default gateway on the way out to the internet, ARP is the quiet step that maps the layer-3 IP onto the layer-2 MAC — and it works identically over Wi-Fi and Ethernet, which both present the same MAC-addressed frame interface.

Why modern phones randomize their MAC address

Because a MAC address is broadcast in the clear in every wireless frame, and used to be a stable, unique value, it became a convenient way to track people. A shopping mall or advertiser could set up Wi-Fi sensors that logged the MAC addresses of nearby phones probing for networks, then follow the same device from place to place without the owner ever connecting to anything.

To shut that down, both major mobile platforms now randomize MAC addresses by default. Apple calls it Private Wi-Fi Address and Android a randomized MAC; in both cases the phone invents a different MAC for each network it joins instead of exposing the real hardware address. It presents one stable random address to your home network (so DHCP reservations still work) but a different one to the coffee shop down the street, which breaks cross-location tracking. A side effect: the OUI of a randomized address is not the phone's true manufacturer, so a lookup on it will not identify the real hardware.

MAC filtering on routers — and why it is weak security

Most home routers offer MAC filtering: an allow-list of MAC addresses permitted to join the network. On paper it sounds like a lock; in reality it is closer to a nametag. Because every wireless frame carries its source MAC in plaintext, anyone within radio range can run a packet sniffer, watch which addresses your access point already accepts, and set their own adapter to one of those approved values — a one-line command on most operating systems. The filter waves them straight through.

MAC filtering can be a mild convenience for keeping a known device off the network, but it should never be mistaken for a security boundary. What actually protects your Wi-Fi is a strong WPA2 or WPA3 passphrase, which encrypts the traffic and gates who can associate in the first place. And with phones now randomizing their MAC per network, strict allow-lists have become annoying to maintain, since a device can reappear with a new address after an update.

The two special bits, briefly

Two low-order bits of the first octet carry meaning. The least-significant bit is the individual/group bit: 0 marks a unicast address for one device, 1 a multicast address for a group (the all-ones FF:FF:FF:FF:FF:FF broadcasts to everyone). The second-least-significant bit is the universal/local bit: 0 means a universally administered address assigned via the manufacturer's OUI, 1 means locally administered — set by software rather than baked in at the factory. Randomized phone MACs always have this locally-administered bit set, a reliable tell that an address is synthetic rather than a real burned-in OUI.

Frequently asked questions

Can a website see my MAC address?

No. A MAC address only has meaning on your local network segment. Every router along the path strips off the incoming frame and rewrites the MAC addresses for the next hop, so by the time your traffic reaches a website your device's MAC has been replaced many times and is nowhere in the packet. Websites see your public IP and whatever your browser reveals — but never your MAC. Confirm what an external server actually observes on the what websites see page.

What does the first half of a MAC address tell you?

The first three octets are the OUI, the IEEE-assigned block that identifies the maker of the network chipset, while the last three octets are the manufacturer's per-device portion. Drop any address into the MAC lookup tool to resolve the vendor — just remember a randomized phone address will not resolve to the true hardware maker.

Is MAC address filtering good security?

Not really. MAC addresses travel in the clear in every wireless frame, so an attacker can observe an allowed address and clone it onto their own adapter in seconds. MAC filtering is a mild convenience, not a real control — a strong WPA2 or WPA3 password is what actually protects your network.

Related reading