Ask Your Question

unknown mac vendor

asked 2022-02-07 12:05:19 +0000

I have a suspicious wifi access point mac address ba:b2:a3:17:7b:b3 reported/displayed in the Symantec endpoint console. The mac address vendor is unknown in the wireshark vendor lookup tool. I have scanned our network to see if this mac shows up anywhere without any luck.

Here is the "explanation" from Symantec: The system administrators of this corporate Wi-Fi defined a set of properties identifying hotspots in the network. By analyzing the data from the WiFi connection Symantec identified a discrepancy that indicates a suspicious hotspot.

What to do next? I would like to hear if anyone has experienced a similar situation?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2022-02-07 15:00:56 +0000

Chuckc gravatar image

Looks like MAC address randomization:

   MAC addresses can either be universally administered or locally
   administered.  Universally administered and locally administered
   addresses are distinguished by setting the second-least-significant
   bit of the most significant byte of the address (the U/L bit).
   One way to overcome this privacy concern is by using randomly
   generated MAC addresses.  As described in the previous section, the
   IEEE 802 addressing includes one bit to specify if the hardware
   address is locally or globally administered.  This allows generating
   local addresses without the need of any global coordination mechanism
   to ensure that the generated address is still unique within the local
   network.  This feature can be used to generate random addresses,
   which decouple the globally-unique identifier from the device and
   therefore make it more difficult to track a user device from its MAC/
   L2 address [enhancing_location_privacy].

MAC format showing position of LG bit:

.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)

CyberChef - hex to binary for MAC address

10111010 10110010 10100011 00010111 01111011 10110011
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
1011 1010 1011 0010 1010 0011

LG bit is set in the MAC address.

(Related where search is needed for Random MAC addresses: Wireshark Random MAC Address display filter)

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2022-02-07 12:05:19 +0000

Seen: 140 times

Last updated: Feb 07