You might see MAC addresses where the first byte appears to be incorrect. For example, it might be 88 rather than 8a.
Bit 2 of the first byte of a MAC address is the Locally Administered Address (LAA) flag. This is used to indicate that an address has been set locally -- that is, configured on the device -- rather than burned into the network hardware. Unfortunately, some devices will set a MAC address with the LAA bit set, that is otherwise the same as their hardware MAC address. Because of this, runZero clears the LAA bit on MAC addresses before storing or comparing them.
So in the example, bit 2 = 2, hex 8a - 2 = 88.
Note that the original MAC address returned by the device will be available in the appropriate attributes. For example, the MAC address as detected via ARP is available as arp.mac
Another issue that can cause confusion is MAC Address Randomization. The first time an Apple device connects to a given WiFi network, it picks a randomized MAC address. This is done to prevent cross-network device tracking. However, sometimes the device will happen to pick a MAC address of a non-Apple device. This can lead to false positives on checks for NDAA Section 889 compliance, for example.
A MAC randomization feature is also available on Windows, where it's called random hardware addresses.
In both cases, the feature can be disabled at the operating system level. Apple devices will also fall back to using their hardware address if the network blocks use of randomized addresses.
Cloud services such as AWS and Azure may also randomize their MAC addresses causing misleading MAC prefixes.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article