12

My application queries mac-addresses of client computers where it runs and stores them on the server. When I analysed the server DB, I found that some mac-addresses repeat 100-150 times. I.e. different client computers in different unrelated organizations have the same macs. So some mac-addresses are very "popular". They also somehow appear in google results. E.g. 58-2C-80-13-92-63. Why does it happen?

Details: my app runs on Windows, client computers belong to different organizations and are situated in different cities. And my app connects to the web-server where it stores some statistics (e.g. mac-addresses).

Martin Schröder
  • 315
  • 1
  • 5
  • 24
Mike Siomkin
  • 223
  • 1
  • 7
  • 1
    Well that gets a 'vendor not found' error when you look it up - it's a software-derived MAC, probably some form of internal NAT, possibly from your router/VPN/firewall. – Chopper3 Jan 12 '17 at 12:23
  • mismanagement from their vendor I guess? I once had a D-Link router that had a wireless MAC of "01:23:45:67:89:ab"... Cheap crap. – Waleed Hamra Jan 12 '17 at 12:24
  • might be virtual device configuration just copy/paste without changing the MAC (f.e. with older versions of xen this is possible) – Dennis Nolte Jan 12 '17 at 12:25
  • Well, even with new versions of Xen this is possible if you don't allow it to generate a new MAC when creating VM NICs (for example, if someone is using a machine template). You can even do this with libvirt if you use only virsh and a single template with no randomization script. – Spooler Jan 12 '17 at 13:07

2 Answers2

17

This example in particular (58-2C-80-13-92-63) is a USB Ethernet chip made by Huawei. Looks like they're being lazy and reusing the MAC. Examples from Google:

[50413.229125] cdc_ether 2-1:1.0: eth1: register 'cdc_ether' at usb-0000:00:1d.7-1, CDC Ethernet Device, 58:2c:80:13:92:63


[  122.660069] huawei_cdc_ncm 3-3:1.1 wwan0: register 'huawei_cdc_ncm' at usb-0000:00:14.0-3, Huawei CDC NCM device, 58:2c:80:13:92:63

The others could also be a case of VMs being passed around. But the most likely explanation (as others have said) is that it's cheap hardware.

To suss this out, check to see whether the MAC is (marked as) globally unique or locally administered: https://en.wikipedia.org/wiki/MAC_address#Address_details

The address 58:2c:80:13:92:63 in theory should be globally unique:

0x58 → 1011000

But MACs from VMs (e.g. 58:2c:80:13:92:63) won't be:

0x52 → 1010010
MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Some more examples: 0C-5B-8F-27-9A-64, 02-00-4C-4F-4F-50, 36-4B-50-B7-EF-2D, 02-0C-E7-0B-01-02, 00-16-76-C9-4E-DE. First - looks like Huawei again, _should_ be globally unique. (Aren't guys from Huawei afraid of LAN collisions? - http://serverfault.com/questions/462178/duplicate-mac-address-on-the-same-lan-possible) The second one is a loopback. Others - I don't know what exactly. The second least significant bit of the first octet may be 1 or 0. The only thing I see - in general mac uniqueness is a myth :( (even if they are not set programmatically). – Mike Siomkin Jan 12 '17 at 16:29
  • Another odd thing is that I filter out loopbacks in my code:`if (adapter.NetworkInterfaceType == NetworkInterfaceType.Tunnel || adapter.NetworkInterfaceType == NetworkInterfaceType.Loopback || adapter.NetworkInterfaceType == NetworkInterfaceType.Unknown) continue;` – Mike Siomkin Jan 13 '17 at 07:38
-2

You can see different mac-addresses only in local network. When IP packet go trough router the mac-address of source host is changed to mac-address of router's output interface. That is why you can see many IP addresses (witch are not from your local network) with the same mac-address.

Mikhail Khirgiy
  • 2,003
  • 9
  • 7
  • No, this is not how it works, these are diffeent OSI layers. If a remote IP reaches you via a router, you only associate the router's (local) IP with that MAC. I could imagine a very exotic setup where the router tries to do as if it were a bridge to the internet (who would really want such a thing?), but such a beast won't even work, and certainly not by masking everything behind a single MAC – Hagen von Eitzen Jan 12 '17 at 20:42
  • You are right. There are different OSI layers. But router get packet on low Ethernet layer, then decide what to do with this packet on IP layer and then send it to next destination again on low Ethernet layer. That is why router send packets with its own mac-address. There aren't any routing protocols on physical Ethernet layer. – Mikhail Khirgiy Jan 12 '17 at 20:58
  • Actually, IS-IS is a routing protocol that runs right on the Ethernet layer. But regardless, systems would never report a machine reachable beyond a gateway as *having* the gateway's MAC address. – MikeyB Jan 12 '17 at 21:07
  • Ok. But what about this http://serverfault.com/questions/36002/getting-an-ips-mac-address-from-behind-a-router – Mikhail Khirgiy Jan 13 '17 at 04:39
  • 1. As I said, I get the same macs from clients from different cities (not from one LAN)! 2. My desktop client app queries mac of the adapter of the computer where it runs, then sends it to the server using SOAP web-service. So it can't be a router's mac. – Mike Siomkin Jan 13 '17 at 07:24