Anonymisation measures introduced by WiFi vendors makes to harder to use MAC Addresses to consistently identify a device. Here’s how you can tell if a device is using a locally administered (aka random) MAC Address.

A MAC address is six-pairs of hex characters, and a normal MAC address looks something like this:

13:fe:34:dc:56:22

Each pair of hex characters is represented by eight bits (one byte) of data.

Locally Administered Addresses

Locally administered MAC addresses can be identified by looking at the second hex character in the MAC Address. If the character is a 2, 6, a or e, the address is considered as locally administered.

The rationale behind this is buried in the two least significant bits of the second character of the MAC address.

Consider the below:

MAC Address
13:fe:34:dc:56:22

First byte of MAC Address (in Hex)
13:

First byte of MAC Address (in Binary)
0001 0011
       ^^ These two values are what we're interested in

The last two binary digits of the first byte control how the MAC address is perceived. The first (left-most) of these two digits is used to show if this is a Locally Administered MAC Address or not. The second (right-most) of these two digits is used to show if this MAC address belongs to an individual device, or a group.

Last two bits of the first byte Meaning
00 Not a locally administered address, assigned to a specific device
01 Not a locally administered address, assigned to a group of devices
10 A locally administered address belonging to a specific device
11 A locally administered address belonging to a group of devices

This means that any MAC Address where the penultimate bit of the first byte is ‘1’, is using a randomised or locally administered, MAC Address. This means we can easily produce a table showing all possible values of a locally administered MAC Address.

All Locally Administered MAC Addresses

This table shows all possible values of the second MAC Address character where a locally administered MAC Address is being used.

Binary Second Hex character of MAC Address
0010 2
0011 3
0110 6
0111 7
1010 a
1011 b
1110 d
1111 e

Locally Administered MAC Addresses for WiFi Clients

Where we are only concerned about identifying WiFi Clients using Locally Administered addresses, then we know our two bits of interest must be “10”. This narrows down the number of possible values for the MAC Address’s second hex character to just four.

Binary Hex
0010 2
0110 6
1010 a
1110 e

This means that all Locally Administered Addresses will fit in to one of the following address formats:

 x2:xx:xx:xx:xx:xx
 x6:xx:xx:xx:xx:xx
 xA:xx:xx:xx:xx:xx
 xE:xx:xx:xx:xx:xx

Regular Expression

Now we know what we’re looking for, we can use a Regular Expression to search for Clients using Locally Administered MAC Addresses.

Regex:  ^[0-9a-fA-F][26aeAE]

This regex can be read as;

 ^             Starting at the start of the string

 [0-9a-fA-F]   The first character can be anything between 0-f (f is a hex number,
               which is equivalent to 15 in decimal or 1111 in binary)

 [26aeAE]      The second character can be 2, 6, a, e, A or E


               NOTE: You can see that letters a & e are entered as both
               uppercase and lowercase in the regular expression.
               a, e, A & E are entered as lowercase and UPPERCASE to
               help prevent issues relating to the industry's lack of
               standardisation around whether upper or lower case 
               letters should be used to represent a MAC Address. This
               approach ensures that regardless of whether you have upper
               or lowercase letters, the regex will match correctly.

               Also note, the regex does not evaluate characters in the
               rest of the MAC address.

Updated: