Wireshark’s OUI lookup is one of the most important features of the leading open source network protocol analyzer — and one of the least understood.
The key to network protocol analysis is to identify network endpoint devices and match them to other network endpoints. This gives network defenders a tool to monitor potentially harmful network activity between endpoints. That goes for all of Participating networks:
- The network of processes running on a single system is determined by the ports on which they are listening for requests.
- Physical networks are linked through the system’s network interface card (NIC) to communicate on their local networks and are identified on those physical networks by a media access control (MAC) address ) of them.
- IP addresses assigned to systems for worldwide interoperability are used to identify networked devices in the global internet.
When sniffing physical networks, one of the important pieces of information that can be accessed is the MAC addresses of connected devices. Each NIC can be uniquely identified by its MAC address, with the first half of the physical address identifying the device vendor and the second half of the MAC address uniquely identifying the device itself. The first half of the MAC address is the organizationally unique identifier (OUI) registered to the NIC provider.
Wireshark, the leading open source network protocol analyzer, captures network traffic and allows network engineers to match units of network protocol data — packets, segments, datagrams, etc — up and down. protocol stack. This means that Wireshark’s analysis shows the ports that network traffic is being sent to, the IP address the traffic is going through, and the identity of the NIC through which the data is physically transmitted.
The Wireshark OUI lookup tool provides an important service for protocol analysis of local network interfaces, but to understand what it is and how it works, it is important to understand how to create and assign MAC address.
What is an organizationally unique identifier?
Most modern NICs are identified by MAC addresses made up of six octets (48 bits). They are usually represented as 12 hexadecimal digits in six pairs, separated by a colon or a dash, for example:
00:00:5E:AB:CD:EF
00-00-5E-12-34-56
The first three octets — highlighted in yellow above — are the OUI assigned to the NIC vendor by the IEEE registry. The OUI database was originally used to associate Ethernet cards with their manufacturer, but OUI has since been expanded to include all types of NICs, including Wi-Fi and other non-Ethernet devices .
With over 16 million distinct OUI addresses, each OUI can’t have more than that number of unique MAC addresses: 24 bits allows unique addresses no more than 224, or 16,777,216, address. Given the size and number of networked devices, this means that vendors producing tens or hundreds of millions of NICs need to use more than one OUI address.
The OUI database includes the following information about each OUI:
- OUI address;
- Supplier Name; and
- optionally extended vendor name and/or address-related note.
Although many MAC address lookup tools rely on a single source — typically, the IEEE list of OUI assignments — the Wireshark manufacturer’s database pulls data from the IEEE list, also as from other sources that record MAC addresses, such as the Internet List of Numbers Assigned to Reserved Addresses. The original Wireshark OUI database was taken from Michael Patton’s Ethernet Code main page and has been merged with that source since 2016.
The Wireshark manuf software library is used to load all well known Ethernet provider codes and MAC addresses into working memory so that the OUI lookup tool can be used anywhere.
The MAC address lookup itself is useful for enumerating devices on a physical network and tracking device movement from one physical network to another.
How does Wireshark OUI lookup work?
When using Wireshark to capture and analyze network traffic, OUI lookups are built into the analyzer interface, as shown in Figure 1 of Wireshark running on a Linux system. The OUI data is integrated into the display, along with all other protocol data, and is highlighted in Figure 1.
The Wireshark OUI service can also be accessed interactively through the Wireshark website at this URL:
https://www.wireshark.org/tools/oui-lookup.html
Network and security engineers can use this public tool to flag problematic or suspicious devices or to search for specific vendors.
OUI lookups can also return information about Individual Address Block (IAB) data. The IAB was replaced in 2014 by a small MAC Address Block (MA-S) register that fulfills the same function in IEEE. Both IAB and MA-S are used by organizations that need less than 16 million MAC addresses. Unlike regular MAC addresses, IAB/MA-S-assigned addresses are given a 36-bit vendor ID. This leaves only 12 bits — 2twelfthor 4.096, unique address — to address individual NICs with MA-S.
Why use Wireshark OUI lookups
Because Wireshark’s OUI lookup returns results from multiple data sources, the Wireshark manufacturer database can help network and security engineers identify hardware or vendor-based vulnerabilities. Specifically. Other top reasons to use Wireshark OUI lookups include:
- Users can search for NICs of connected network devices manufactured by specific vendors. This helps identify Wi-Fi endpoints, as well as flag IoT devices, such as hidden wireless cameras.
- Security professionals use OUI lookups to help generate link-layer addresses that appear valid for penetration testing commits. OUI lookups can help distinguish manually generated link-layer addresses from valid ones.
- Supports OUI lookups in network device enumeration, which is important for many reasons, including better IT support as well as tracking potential vulnerabilities.
- Users can identify dedicated network devices, such as routers or Wi-Fi access points, by retrieving OUI provider information.
- OUI lookups can be used to identify other hidden devices, such as wireless cameras or other surveillance devices that have been installed incorrectly or accidentally at a location.
Wireshark users can access OUI lookup information collected during packet capture and use OUI addresses to filter traffic to and from specific addresses. Likewise, using the Wireshark OUI lookup website allows security professionals to access the database from a smartphone browser.
