Identify hardware with OUI lookup in Wireshark

Sometimes it’s useful to know the manufacturer of a given network adapter. Wireshark makes that information easy to find by performing an automatic OUI lookup on every captured frame.

Here’s everything you need to know about OUI in Wireshark.

What is an OUI?

An Organizational Unique Identifier (OUI) is a code embedded in the first three bytes of a MAC address. It identifies the device’s vendor. For instance, if the first three bytes of your network adapter are 3C:FD:FE, your card was sold by Intel.

OUI Lookup - Step 1

To give an example, the MAC address of my laptop is 54:27:1E:44:EC:BA. That means the OUI is 54:27:1E and the final three bytes are a unique identifier.

One caveat to keep in mind is that the OUI denotes the vendor and not the chipset manufacturer. In the examples below, the OUI vendor shows up as AzureWave, but Qualcomm manufactured the chipset. That’s because AzureWave packaged a Qualcomm chipset onto a PCIe mini card. They registered the card with the IEEE Registration Authority, so AzureWave is the vendor.

OUI lookup in Wireshark

Wireshark automates OUI lookup, which makes it very easy to identify the vendor of any given network adapter.  You need to know the IP address or hostname of the target machine. Wireshark does the rest.oui lookup

Ping lookup

One of the easiest ways to perform an OUI lookup on a given host is to ping it. In the example above, I used a display filter to show only the ping reply.

OUI Lookup - Step 3

Once the session is captured and filtered, click on any captured frame and scroll down to the Ethernet II frame header in the Packet details view.

OUI Lookup - Step 4

You can see that Wireshark has already performed an OUI lookup, and is showing the vendor as Raspberr_b1 which correctly identifies the target adapter as being made by Raspberry Pi.

OUI Lookup - Step 5

Manual lookup

If for some reason you’re not convinced Wireshark is performing the OUI lookup properly, or you need additional information about the vendor, use the Packet bytes view to pull the code yourself and perform a manual OUI lookup. The first three bytes of the frame are the destination OUI, while bytes 6 – 8 are the source OUI.

OUI Lookup - Step 6

All you have to do is paste the contents of those three bytes into an online OUI lookup tool in order to confirm Wireshark’s initial results. You can see some additional information about the vendor.

In this example I used the ping utility to generate ICMP traffic to examine the OUI code. In practice any traffic at all will work. For instance, a webserver might have ping disabled. But if it’s serving HTTP, you can use that traffic to determine the vendor of the remote host’s network adapter.

As long as you can get a computer to respond to pings or ACK any of your requests, you can determine who made its network adapter with an OUI lookup. Even if the traffic is encrypted, the OUI header is transmitted in plaintext.

IPv6 OUI lookup in Wireshark

Wireshark handles OUI lookup in IPv6 is the same way as IPv4. That’s because the OUI code is embedded in the frame header, not the packet itself.

OUI Lookup - Step 7

Here’s an example of an IPv6 ping to the same host as before. I’ve changed the capture and display filters in order to present the data clearly.

OUI Lookup - Step 8

You can see the OUI codes in exactly the same place in the packet header. Wireshark performs the OUI lookup on IPv6 traffic with no additional configuration.

Wireshark makes every OUI lookup easy

It’s trivial to find the vendor of any computer’s NIC, since each packet’s header includes an OUI code. Wireshark performs the lookup automatically. It’s not a stretch to say that anyone, regardless of their experience level, can perform an OUI lookup with Wireshark. It’s one of those things that just works, right out of the box.

Related:
Using Wireshark to get the IP address of an Unknown Host
How to run a remote capture with Wireshark and tcpdump