# MAC Address and ARP
**What is a MAC Address?**
A **MAC** address stands for **Media Access Control**. It serves as a unique hardware identifier assigned to a network interface card (NIC) or network adapter. This identifier lets devices communicate effectively within a local area network. Every device capable of networking comes equipped with at least one MAC address.
An IP address can shift around based on the network you connect to. A MAC address stays pretty much fixed right from the factory. It remains unique across the entire world. MAC addresses operate at **Layer 2** of the OSI model. That layer handles data links. IP addresses function at **Layer 3**. That is the network layer.
**Why MAC Addresses Matter**
MAC addresses play a key role in several ways. They provide clear identification for each device on a local network. No two should overlap there. Switches rely on these addresses to direct data frames toward the proper destination. In terms of security, network access control systems filter devices using MAC addresses. This helps block unwanted entries.
**Structure of a MAC Address**
A MAC address consists of **48 bits (6 bytes)**, usually represented as **12 hexadecimal digits**:
```
00:1A:2B:3C:4D:5E
```
It is divided into two main parts:
| Part | Description | Example |
| ---------------------------------------- | ------------------------------------------- | ---------- |
| OUI (Organizationally Unique Identifier) | First 24 bits, assigned to the manufacturer | `00:1A:2B` |
| NIC Specific | Last 24 bits, unique for each device | `3C:4D:5E` |
* **OUI** ensures that no two manufacturers issue the same prefix.
* **NIC-specific** part allows uniqueness within the devices made by the same manufacturer.
**Fun fact:** Some modern devices allow **MAC address randomization** to improve privacy, especially on Wi-Fi networks, making the MAC appear different each time you connect to a network.
**Types of MAC Addresses**
* **Unicast MAC:** Identifies a single interface. Most MAC addresses are unicast.
* **Multicast MAC:** Used to deliver frames to multiple devices in a group. Example: IPv4 multicast `224.0.0.1` maps to a multicast MAC.
* **Broadcast MAC:** Special MAC `FF:FF:FF:FF:FF:FF` used to send data to **all devices** on the local network.
**MAC vs IP Address**
| Feature | MAC Address | IP Address |
| ---------- | ----------------------------------- | ----------------------------------------------- |
| Layer | Data Link (Layer 2) | Network (Layer 3) |
| Purpose | Identify device on LAN | Identify device and route packets |
| Format | 48-bit hexadecimal | IPv4: 32-bit decimal, IPv6: 128-bit hexadecimal |
| Changeable | Usually fixed, sometimes randomized | Static or dynamic |
| Scope | Local network | Local and global networks |
| Example | 00:1A:2B:3C:4D:5E | 192.168.1.10 / 2001:DB8::1 |
**What is ARP?**
**ARP (Address Resolution Protocol)** maps **IP addresses to MAC addresses**. This allows devices to deliver data frames to the correct hardware address on a local network.
**How ARP Works**
1. Device A wants to communicate with Device B using its IP address.
2. Device A checks the **ARP cache** to see if Device B's MAC is already known.
3. If not, Device A sends a **broadcast ARP request**:
```
Who has IP 192.168.1.10? Tell 192.168.1.5
```
4. Device B responds with its MAC address:
```
192.168.1.10 is at 00:1B:44:11:3A:B7
```
5. Device A can now send data frames directly to Device B.
6. The mapping is stored in the **ARP cache** for future use.
**ARP Cache**
The ARP cache stores IP ↔ MAC mappings temporarily to speed up communication.
| Field | Description |
| ----------- | --------------------------------------------------------------------------------------------------------------------------------------- |
| IP Address | The IP of the device in the LAN |
| MAC Address | Corresponding MAC |
| Type | Dynamic: learned automatically by ARP requests
Static: manually configured, does not expire
|
| Iface | Network interface used |
***
**Practical Example:**** `arp -a`**
**Windows**
```bash
arp -a
```
Example output:
```
Interface: 192.168.1.5 --- 0x3
Internet Address Physical Address Type
192.168.1.1 00-1A-2B-3C-4D-5E dynamic
192.168.1.10 00-1B-44-11-3A-B7 static
```
**Linux**
```bash
arp -n
```
Example output:
```
Address HWtype HWaddress Flags Mask Iface
192.168.1.1 ether 00:1A:2B:3C:4D:5E C eth0
192.168.1.10 ether 00:1B:44:11:3A:B7 S eth0
```
**Explanation of Dynamic vs Static:**
* **Dynamic entries** get added automatically by ARP. This happens when a device starts communicating on the local area network. They expire after a few minutes if no one uses them.
* **Static entries** need manual setup. They do not expire at all. They stay in the ARP cache until removed by hand. That approach works well for servers or critical devices. It helps keep connectivity steady and reliable.