MAC Lookup: a beginner's guide
Identify vendor, VM, and randomized MAC detection
MAC addresses: the factory serial number stamped on every network device
A MAC address (Media Access Control address) is a unique 48-bit identifier permanently assigned to every network interface on every device — laptop, phone, router, smart bulb, security camera, anything that connects to a network. Unlike an IP address, which can change as you move between networks, the MAC address is hard-coded into the network chip at manufacturing time and (usually) stays the same forever. The first half of the address is the OUI (Organizationally Unique Identifier), which is registered with the IEEE and identifies the manufacturer of the device. The second half is unique within that manufacturer's range. So a MAC address like `B8:27:EB:12:34:56` is identifiable as a Raspberry Pi at a glance — `B8:27:EB` is the OUI assigned to the Raspberry Pi Foundation.
You should care because the MAC address is the closest thing to a real-world identity any network device has. For an IT team running an asset inventory, MAC addresses are how you tell the difference between a Cisco switch, an Apple laptop, an HP printer, and a smart thermostat that walked onto the corporate network without anyone noticing. For a security team, the MAC OUI is the fastest way to fingerprint an unknown device on the network without sending it any traffic. For a forensics team investigating an incident, MAC addresses in DHCP logs let you reconstruct which physical device was on the network at any given time.
The five things every MAC address check looks at:
The OUI. The first 24 bits, registered with the IEEE — identifies the manufacturer.
The full address. The remaining 24 bits — unique within the manufacturer's range.
Universal vs locally administered. A flag bit in the first byte indicates whether the address is factory-assigned or set by software (most common with virtual machines, containers, and modern privacy features).
Multicast vs unicast. Another flag bit indicates whether the address represents one device or a group.
Format variants. MAC addresses can be written with colons (`B8:27:EB:12:34:56`), dashes (`B8-27-EB-12-34-56`), dots (`B827.EB12.3456`), or no separators at all.
Three questions a MAC address check answers:
What manufacturer made this device?
Is this MAC address on the IEEE's official list, or is it locally generated (which suggests a VM, container, or randomized privacy MAC)?
For an asset inventory, can I match this MAC against my known device list?
The cost of ignoring MAC address data is being unable to identify the physical devices on your network without sending them probe traffic. The fix is to keep an OUI lookup table on hand — the IEEE publishes the official OUI registry for free. This is one of those small primitives that powers a surprising amount of network and security tooling.
The MAC Lookup endpoint, in plain language
In one sentence: Identify vendor, VM, and randomized MAC detection
Identifies the hardware manufacturer from a MAC address using the IEEE OUI database, and detects virtual machines, randomized/private MACs (iOS 14+, Android 10+, Windows), broadcast, and multicast addresses. Covers 30,000+ vendor OUIs from the full IEEE MA-L registry including Cisco, Apple, Samsung, Huawei, Ubiquiti, and all major virtualization platforms per IEEE 802 and the official internet standard.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Parses the OUI (first 24 bits) of a MAC address to identify the manufacturer, then analyzes the U/L and I/G bits to classify the address type. Detects virtual machine MACs (VMware, VirtualBox, Hyper-V, QEMU/KVM, Xen, Parallels), identifies randomized MACs from mobile devices using MAC address randomization (iOS 14+, Android 10+), and classifies addresses as UAA (Universally Administered) or LAA (Locally Administered). Accepts colon, hyphen, no-separator, and Cisco dot formats.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the MAC Lookup tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
MAC vendor identification is the first step in network device profiling for asset management, NAC (Network Access Control), and security monitoring. The VM and randomized MAC detection is critical for modern networks where mobile devices use per-network random MACs and cloud workloads run on virtual NICs — both of which break traditional MAC-based identification.
Picture this in real life. Imagine a network administrator. Here's the situation they're walking into: Identify unknown devices on the network by looking up MAC addresses from switch port tables, ARP tables, or DHCP logs. Detect virtual machines and IoT devices automatically. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the MAC Lookup tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the MAC Lookup tool is built for you:
Where in the world is this server actually located, and who runs the network it sits on?
How fast does traffic move between my users and my service?
Is the IP address I am looking at part of a residential network, a data center, or something suspicious?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Network engineers, IT admins, sales teams qualifying enterprise prospects, and product teams building geo-personalization or fraud rules. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you can't tell where your users actually are, who runs the network they're on, or why they're seeing slow page loads. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the free plan. The technical details: `GET /v1/network/mac`.
When would I actually use this?
If you're still on the fence about whether the MAC Lookup tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a network administrator, a security analyst, and a cloud security engineer — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Network Asset Discovery
Imagine you're a network administrator. Identify unknown devices on the network by looking up MAC addresses from switch port tables, ARP tables, or DHCP logs. Detect virtual machines and IoT devices automatically.
Why it matters: Maintain accurate network inventory and detect shadow IT without physical device inspection.
Story 2: Randomized MAC Detection (BYOD)
Imagine you're a security analyst. Detect devices using randomized MAC addresses (iOS 14+, Android 10+, Windows) that bypass MAC-based access controls and tracking. Identify when NAC policies are being circumvented.
Why it matters: Adapt security policies for modern BYOD environments where MAC randomization is the default.
Story 3: Virtual Machine & Container Detection
Imagine you're a cloud security engineer. Identify virtual machine and container workloads on the network by detecting VM-specific OUI prefixes (VMware, Hyper-V, QEMU/KVM, VirtualBox).
Why it matters: Distinguish physical and virtual assets for compliance auditing and attack surface assessment.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the MAC Lookup tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
When a customer reports that your site is slow specifically from their region.
When you need to know whether traffic is coming from a residential network or a data center.
When planning a CDN, points of presence, or geographic expansion.
During an outage, to see exactly where in the route packets are getting lost.
If you can see yourself in even one of those bullets, the MAC Lookup tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the MAC Lookup tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the MAC Lookup tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/network/mac?mac=00%3A50%3A56%3AC0%3A00%3A08"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
mac | string | Yes | MAC address in any standard format: colon-separated (00:1A:2B:3C:4D:5E), hyphen-separated (00-1A-2B-3C-4D-5E), no separator (001A2B3C4D5E), or Cisco dot format (001A.2B3C.4D5E) | 00:50:56:C0:00:08 |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
mac | string | The original MAC address as provided |
mac_normalized | string | Normalized to XX:XX:XX:XX:XX:XX format |
oui | string | The OUI portion (first 3 octets) used for vendor lookup |
vendor.name | string | Manufacturer/vendor name from IEEE OUI database |
vendor.country | string | Vendor country of registration (ISO 3166-1 alpha-2) |
is_private | boolean | Whether MAC is locally administered (LAA) — U/L bit set |
is_multicast | boolean | Whether MAC is a multicast address — I/G bit set |
is_broadcast | boolean | Whether MAC is the broadcast address (FF:FF:FF:FF:FF:FF) |
is_virtual | boolean | Whether MAC belongs to a known virtualization platform (VMware, VirtualBox, Hyper-V, QEMU, Xen, Parallels) |
is_randomized | boolean | Whether MAC appears to be randomized (LAA with no known vendor — common with iOS 14+, Android 10+) |
type | string | Address type: unicast, multicast, or broadcast |
administration | string | Address administration: UAA (universally administered) or LAA (locally administered) |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
RFC (Request for Comments) — The official internet standards documents. When someone says 'RFC 8484' they mean a specific numbered standards document — in that case, the one defining DNS over HTTPS.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.