1. What Is a MAC Address?
A Media Access Control (MAC) address is a hardware identification number that uniquely identifies each device on a network. It is often referred to as the "Physical Address" or "Hardware Address."
Unlike an IP address, which is assigned logically by software or a router, the MAC address is "burned in" to the Network Interface Card (NIC) by the manufacturer.
2. MAC Address Structure
A MAC address is 48 bits long (6 bytes). It is split into two equal parts that tell you exactly who made the device and the specific ID of that device.
First 24 Bits (Purple): Organizationally Unique Identifier (OUI). This identifies the vendor (e.g., Apple, Dell, Cisco).
Last 24 Bits (Green): Network Interface Controller (NIC) Specific. This is the unique serial number assigned by the vendor.
3. MAC vs IP Comparison
Beginners often ask: "Why do we need two addresses?" The answer lies in the OSI model layers.
| Feature | MAC Address | IP Address |
|---|---|---|
| Layer | Layer 2 (Data Link) | Layer 3 (Network) |
| Scope | Local Network Only (LAN) | Internet Wide (WAN) |
| Type | Physical (Hardware) | Logical (Software) |
| Changeable? | Permanent (mostly) | Dynamic (Changes frequently) |
| Delivery | Computer to Computer (Direct) | Network to Network (Routing) |
Flow: Application โ IP (Where are we going?) โ MAC (Who is the next hop?) โ Wire.
4. ARP Explained
Address Resolution Protocol (ARP) is the bridge between Layer 3 (IP) and Layer 2 (MAC). When your computer knows the destination IP but not the destination MAC, it uses ARP.
The ARP Conversation
- Device A: "I need to send data to
192.168.1.50, but I don't know their MAC address." - Device A (Broadcast): "WHO HAS
192.168.1.50? Tell192.168.1.10!" - Device B (192.168.1.50): "That's me! My MAC address is
AA:BB:CC:11:22:33." (Unicast Reply) - Device A: Saves this pair (IP + MAC) in its ARP Table (Cache).
5. ARP Table & Commands
Every device keeps a temporary list of IP-to-MAC mappings called the ARP Cache. You can view this cache on any OS.
user@linux:~$ ip neigh
192.168.1.1 dev eth0 lladdr c0:25:a5:xx:xx:xx REACHABLE
# Windows Command
C:\Users\Admin> arp -a
Interface: 192.168.1.10 --- 0x3
Internet Address Physical Address Type
192.168.1.1 c0-25-a5-xx-xx-xx dynamic
6. Switch MAC Learning
Switches are intelligent devices. They use a MAC Address Table (or CAM Table) to map physical ports to MAC addresses.
- Learning: When a frame enters a port, the switch records the Source MAC and the Port Number.
- Forwarding: If the switch knows the destination MAC, it sends the frame only to that port (Unicast).
- Flooding: If the destination MAC is unknown, the switch sends the frame to all ports (except the source).
๐งช Switch MAC Table Simulator
Simulate how a switch learns MAC addresses and populates its CAM table.
Launch Switch Simulator7. Broadcast vs Unicast vs Multicast
How data travels depends on who needs to hear it.
| Type | Destination MAC | Who hears it? |
|---|---|---|
| Unicast | Specific MAC (e.g., 00:1A...) | One specific device. |
| Multicast | Special Range (e.g., 01:00:5E...) | A subscribed group of devices. |
| Broadcast | FF:FF:FF:FF:FF:FF | Everyone on the local network. |
๐งช Frame Delivery Visualizer
Visualize the difference between Broadcast, Unicast, and Multicast delivery.
Launch Delivery Visualizer8. ARP Spoofing & Attacks
ARP was designed in the 1980s based on trust. It has no authentication. This leads to ARP Poisoning (or Spoofing).
โ ๏ธ Man-in-the-Middle (MITM)
An attacker can send fake ARP replies to the victim and the gateway.
To Victim: "I am the Router."
To Router: "I am the Victim."
Now, all traffic flows through the attacker's machine, allowing them to steal passwords or modify data before forwarding it.
Defenses
Enterprises use Dynamic ARP Inspection (DAI) and port security to prevent these attacks. In static environments, administrators might manually define static ARP entries.
9. Real-World Troubleshooting
When devices on a LAN cannot talk, check Layer 2 first.
๐ Connectivity Checklist
- Physical Link: Are the lights on the switch port blinking?
- Same Subnet: Are both IPs in the same range? (e.g., 192.168.1.x)
- ARP Entry: Run
arp -a. Do you see the target's MAC? - Duplicate IP: If two devices have the same IP, ARP will flap between two MACs, causing connection drops.
- Broadcast Storm: Is the network slow? A loop might be causing endless broadcasts.
10. ๐ก๏ธ Security Application
For pentesters, Layer 2 is the primary playground for local reconnaissance.
ARP Scanning
Instead of using Ping (ICMP), which firewalls often block, hackers use ARP to find live hosts. Since ARP creates no "connections," it is stealthier and works on all local devices.
Interface: eth0, datalink type: EN10MB (Ethernet)
192.168.1.1 c0:25:a5:xx:xx:xx TP-Link Technologies
192.168.1.15 b8:27:eb:xx:xx:xx Raspberry Pi Foundation
๐งช ARP Spoofing Demo
Interact with a simulated MITM attack to understand how attackers poison the cache.
Launch Spoofing Demo๐งช MAC & ARP Practice
Test your understanding of Layer 2 concepts.
A1: Layer 2 (Data Link Layer).
A2: FF:FF:FF:FF:FF:FF
A3: ARP (Address Resolution Protocol).
A4: Because ARP has no authentication mechanism (it trusts all replies).
A5: arp -a
๐ Module Recap
- MAC Address: Physical, permanent ID (Layer 2). Vendor identified by OUI.
- IP Address: Logical, changeable ID (Layer 3). Used for routing.
- ARP: The protocol that maps IP โ MAC using "Who has?" broadcasts.
- Switching: Switches learn MACs to direct traffic precisely (Unicast) instead of shouting (Broadcast).
- Security: ARP is vulnerable to spoofing, allowing Man-in-the-Middle attacks.