In this brief tutorial, we’ll look at the difference between a MAC address and an IP address. Furthermore, we’ll learn about the component that acts as a bridge between the MAC and IP addresses. Also, we’ll explore how to extract MAC addresses from hosts in a remote or local network.
2. Difference Between a MAC Address and an IP Address
A Media Access Control address or MAC address is a 12-digit hexadecimal number that identifies a device connected to a network. In other words, it’s a unique identifier for network interface cards (NICs). These addresses can be written in two different formats:
Here, MM in the MAC address represents the Organization Unique Identifier (OUI) and SS is the Universally Administered Address (UAA). The OUI of the address identifies the vendor of the NIC and the UAA is a unique address that the vendor assigns to the device.
MAC addresses never change on their own and are permanent addresses. Although MAC addresses are hard-coded into the NIC, many device drivers allow a user to change the address. This is called MAC spoofing.
We can use the ip utility to view the MAC address of each NIC:
$ ip a ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:0c:29:d8:fa:9a brd ff:ff:ff:ff:ff:ff inet 172.16.186.133/32 scope global noprefixroute ens160 valid_lft forever preferred_lft forever inet6 fe80::20c:29ff:fed8:fa9a/64 scope link noprefixroute valid_lft forever preferred_lft forever
We can see the MAC address above next to the word ether. In this case, the MAC address is
In contrast, an IP address or Internet Protocol address is a unique number that identifies a computer in a network. IP addresses allow devices to connect to each other and transfer data.
IPv4 addresses have the format X.X.X.X, where X is any number between 0 and 255. Similarly, we can use the ip command to view the IPv4 and IPv6 addresses of a device. In our example from earlier, the IPv4 address is
172.16.186.133 and the IPv6 address is
3. Understanding ARP
The Address Resolution Protocol (ARP) is a protocol that acts as a bridge between layer 2 and layer 3 components of the OSI model. This means that it can map MAC addresses to IP addresses in a local area network (LAN) and vice versa.
It’s important to note that ARP only works with IPv4 addresses. In contrast, IPv6 addresses make use of a similar protocol known as the Neighbor Discovery Protocol (NDP).
For example, when a computer joins a network it has a unique IP address so that it can communicate with other hosts in the network. When a computer wants to communicate with another computer in the network, it packages the request into an IP datagram or IP packet. For the sender to know which computer to forward this packet to, it needs to have the destination IP and the destination MAC address. In most cases, the sender doesn’t know what the destination MAC address is. The sender needs to transmit an ARP broadcast which all hosts in the LAN will receive.
The ARP request includes the sender’s IP, the sender’s MAC address and the target’s IP address. Additionally, it contains a field for the target’s MAC address which, at that point, remains unknown. All devices have an ARP cache or ARP table. As a result, they use this cache to temporarily store the IP and MAC addresses of the hosts they communicate with.
4. Finding a MAC Address of a Given IP
The way to retrieve a MAC address from a device in the local network differs when trying to retrieve the address from an external network. Let’s explore the different ways that we can go about this.
4.1. Finding a MAC Address of a Host on the Local Network
First, we need to ping the given IP address. This establishes a connection with the device of the given IP address. When we ping the IP address, an ARP request is sent at the same time. When our device receives an ARP reply from 18.104.22.168, it updates the ARP cache with the given IP address and the MAC address obtained from the ARP reply.
We need a way to view the ARP cache so that we can see the MAC address. That’s where the ip neighbour command comes in. Now, we run the ip neighbour command to see the corresponding MAC address for the IP we’ve just pinged:
$ ping -c 1 172.16.187.129 PING 172.16.187.129 (172.16.187.129) 56(84) bytes of data. 64 bytes from 172.16.187.129: icmp_seq=1 ttl=64 time=2.17 ms --- 172.16.187.129 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.172/2.172/2.172/0.000 ms $ ip neighbour 172.16.187.2 dev ens160 lladdr 00:50:56:f3:ce:92 STALE 172.16.187.129 dev ens160 lladdr 00:0c:29:02:d4:5a REACHABLE
At this point, we observe two IP addresses after running the arp-equivalent ip neighbour command. The first IP is the gateway node and we can verify this by running ip route:
$ ip route default via 172.16.187.2 dev ens160 proto static metric 100
The second IP address is of a host in our LAN that we’ve previously pinged.
The ip neighbour command can only retrieve MAC addresses of computers in our local network.
4.2. Finding a MAC Address of a Remote Host
Since a MAC address is a component of the data link layer or layer 2 of the OSI model, an IP packet will remove it when it travels to a different network segment. It’s for this reason that ARP doesn’t work across routers and works only in a local area network.
There are different ways of retrieving the MAC address of a host in a remote network, but these options aren’t necessarily reliable. For instance, the router that forwards IP packets from the source to the destination server does see the MAC address of a remote server. Having SNMP access to the router would allow us to view this information. The router may need additional configurations for us to do this.
Secondly, a remote host may include the MAC address in its layer 3 traffic but this information can be false. Without a doubt, MAC addresses can be forged and that’s why they aren’t helpful when trying to authenticate hosts. Instead, we make use of server certificates.
In this article, we learned about mapping IP addresses to MAC addresses. We began with the basics such as differentiating the two concepts. Then we focused on the bridge between these two concepts which we know as ARP. After that, we delved into the methods used to retrieve MAC addresses.