What does the MAC address shown by `iw link` or iwconfig` represent?

3

I have my RaspberryPi3 (latest Raspbian) connected via WiFi to my WLAN router with ip=192.168.1.1 and mac=XX:XX:XX:XX:XX:A5. However, when I perform the following, I get quite different results for the MAC. 

# ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.198  netmask 255.255.255.0  broadcast 192.168.1.255
        ...
        ether ZZ:ZZ:ZZ:ZZ:ZZ:c9  txqueuelen 1000  (Ethernet)
        ...


# arp -ni wlan0
Address            HWtype  HWaddress           Flags Mask     Iface
192.168.1.1        ether   XX:XX:XX:XX:XX:A5   C              wlan0

# iw wlan0 info
Interface wlan0
        ...
        addr ZZ:ZZ:ZZ:ZZ:ZZ:c9

# iw wlan0 link
Connected to XX:XX:XX:XX:XX:a7 (on wlan0)
        ...

# iwconfig wlan0
        ...
        Mode:Managed  Frequency:2.412 GHz  Access Point: XX:XX:XX:XX:XX:a7

# iw --version
iw version 4.9

The iw man pages, doesn't say much.

  • As for ifconfig, it shows my own adapter MAC (ZZ:ZZ:ZZ:ZZ:ZZ:c9).
  • As for arp, it shows the correct WLAN router MAC (XX:XX:XX:XX:XX:A5).
  • But for iw wlan link, it shows a third MAC! (XX:XX:XX:XX:XX:a7)!
  • And for iwconfig wlan0, it also show that 3rd MAC.

Q. What is that mysterious 3rd MAC address representing?

UPDATE

Thanks to the info provided by @mtak we need to look at what is going on in the different OSI layers. Most IP discovery operations take place on the Network Layer (L3), whereas the MAC "stuff" happen on the Data Link layer (L2) and below (Physical).

enter image description here

not2qubit

Posted 2018-01-03T11:48:03.110

Reputation: 1 234

Perhaps that's the Access Point's MAC address as per "Access Point: ~" and "Connected to ~".... " iwconfig will display the name of the MAC protocol used " .... So the MAC address of the Wi-Fi Access Point endpoint you connect to for accessing that network via Wi-Fi.

– Pimp Juice IT – 2018-01-03T11:58:17.593

It can't be because the AP is the one with :A5. I've checked this with both nmap and from other machines on the local network. The only other thing I can think of is that the wifi of an RPi3 can also act as a repeater. So perhaps iwconfig is reading the MAC of a would-be-ap or is simply buggy? – not2qubit – 2018-01-03T13:35:16.143

Answers

4

  • ifconfig shows your own client's MAC address
  • arp shows the MAC of the IP interface of the router, which is likely not the same as the wireless interface
  • iw wlan link and iwconfig wlan0 show the MAC of the wireless interface of the router

The reason that the MAC of the IP and wireless interface is not the same is that the router probably has an internal switch. The wireless interface is connected to this switch, along with the ethernet ports on the back of the router. The IP interface (the actual router) of is also connected to this switch. See this (quite crude) drawing:

mac addresses

mtak

Posted 2018-01-03T11:48:03.110

Reputation: 11 805

I still don't understand what is happening here. Because, doing nmap -sS 192.168.1.1 gives the A5 MAC, whereas doing airodump-ng wlan0mon give the A7 MAC as the BSSID. So somehow, nmap packets are just getting passed through the A7 (wifi chip?) and instead responding to the internal router switch interface with A5. Is that right? – not2qubit – 2018-01-04T11:59:34.707

nmap works on layer 3 (IP). The IP interface of the router is A5, which is what ARP/nmap will display (Layer 3). As you say the packets go right through A7 (which is layer 1/2). Try thinking of the "router" as separate devices in a box. The first layer 3 hop your packets make will be the router, not the switching infrastructure in between (layer 1/2). – mtak – 2018-01-04T12:10:23.127

So A5 would never be visible to anyone not already connected to the AP? Or does the WiFi router leak this information over the air even for non-associated clients? (I assume we are all using encrypted connections.) The question is a bit OT, but could someone spoof the A5 MAC? I guess they could set their MAC to anything, but I fail to understand how a spoofed and non-associated MAC(A5)_a could be distinguished from the real internal MAC(A5)_b? – not2qubit – 2018-01-06T21:37:18.110

Yes. No. Yes. Non-associated MAC A5 would not be on the network. The real internal MAC wouldn't be in the AP authentication table, so incoming wireless packets would not be allowed from A5. – mtak – 2018-01-08T08:20:57.363

Asked: 2018-01-03T11:48:03.110

Viewed: 684 times

Active: 2018-01-04T14:14:09.447