How Wireshark OUI Search Boosts Network Security

Wireshark OUI search is one of the most important features of the leading open source network protocol analyzer – and one of the least understood.

The key to network protocol analysis is to identify network endpoint devices and match them with other network endpoints. This gives network defenders a tool to track potentially dangerous network activity between endpoints. This applies to everything the networks concerned:

  • Networks of processes running on a single system are identified by the ports on which they listen for requests.
  • Physical networks are bonded through a system’s network interface card (NIC) to communicate over their local networks and are identified on those physical networks by their media access control (MAC) addresses.
  • IP addresses assigned to systems for worldwide interoperability are used to identify networked devices on the global Internet.

When detecting physical networks, one of the main information accessible is the MAC address of the connected devices. Each network card can be uniquely identified by its MAC address, with the first half of the physical address identifying the vendor of the device and the second half of the MAC address uniquely identifying the device itself. The first half of the MAC address is the unique organizational identifier (OUI) registered with the network adapter vendor.

Wireshark, the leading open source network protocol analyzer, captures network traffic and allows network engineers to match network protocol data units (packets, segments, datagrams, etc.) up and down the protocol stack. This means that Wireshark analysis reveals the ports to which network traffic is sent, the IP addresses through which the traffic passes, and the identity of the network card through which the data is physically transmitted.

The Wireshark OUI lookup tool provides an important service for protocol analysis of local network interfaces, but to understand what it is and how it works, it is important to understand how MAC addresses are created and assigned.

What is a Unique Organizational Identifier?

Most modern network cards are identified by MAC addresses consisting of six bytes (48 bits). These are usually represented by 12 hexadecimal digits in six pairs, separated by colons or hyphens, for example:

00:00:5E:A B C D E F

00-00-5E-12-34-56

The first three bytes – highlighted in yellow above – are the OUI assigned by the IEEE Registration Authority to the network card vendor. The OUI database was originally used to associate Ethernet cards with their manufacturers, but the OUI has been extended to cover all types of network cards, including Wi-Fi and other non-Ethernet devices.

With over 16 million distinct OUI addresses, each OUI cannot have more than this number of unique MAC addresses: 24-bit allows unique addresses for no more than 224, or 16,777,216 addresses. Given the scale and number of networked devices, this means that vendors who manufacture tens or hundreds of millions of network cards must use multiple OUI addresses.

OUI databases include the following information about each OUI:

  • the address YES;
  • the name of the supplier; and
  • an optional extended vendor name and/or associated address notes.

While many MAC address lookup tools rely solely on a single source – typically, the IEEE list of OUI assignments – the manufacturer’s database Wireshark pulls its data from the IEEE list, as well as other sources that document MAC addresses, like the Internet. Authority lists of assigned numbers for reserved addresses. The Wireshark OUI database was originally taken from Michael Patton’s main Ethernet codes page and has been merged with this source since 2016.

The Wireshark manuf software library is used to load all Ethernet vendor codes and well-known MAC addresses into working memory so that the OUI finder can be used anywhere.

MAC address lookup itself is useful for enumerating devices on a physical network and tracking device movements from one physical network to another.

How does Wireshark OUI search work?

When using Wireshark to capture and analyze network traffic, OUI search is built into the analyzer interface as shown in Figure 1 of Wireshark running on a Linux system. YES data is integrated into the display, along with all other protocol data, and is highlighted in Figure 1.

Figure 1. Wireshark displays OUI data for address 00:0b:be:18:9a:41, a Cisco OUI, as displayed in the Wireshark GUI application running on Linux.

The Wireshark OUI service can also be accessed interactively through the Wireshark website at this URL:

https://www.wireshark.org/tools/oui-lookup.html

Security and network engineers can use this public tool to report questionable or suspicious devices or to research specific vendors.

Screenshot of Wireshark YES search tool
Figure 2. Wireshark displays OUI data for address 00:0b:be:18:9a:41, a Cisco OUI, as displayed in Wireshark’s OUI lookup web tool.

The YES search can also return information about Individual Address Block (IAB) data. IAB was replaced in 2014 by the MA-S (MAC Address Block Small) register which performs the same function under IEEE. IAB and MA-S are used by organizations that need fewer than 16 million MAC addresses. Unlike ordinary MAC addresses, addresses assigned under IAB/MA-S come with a 36-bit vendor ID. This leaves only 12 bits — 212or 4096 unique addresses — to address individual network adapters using MA-S.

Why Use Wireshark YES Search

Because the Wireshark YES search returns results from multiple data sources, the Wireshark Manufacturers Database can help network and security engineers identify vulnerabilities based on specific hardware or vendors. The other main reasons to use Wireshark OUI research are:

  • Users can search for network adapters of connected network devices that have been manufactured by specific vendors. This helps identify Wi-Fi endpoints, as well as flag IoT devices, such as hidden wireless cameras.
  • Security professionals use OUI lookup to create seemingly valid link-layer addresses for penetration testing missions. The YES lookup can help differentiate specially crafted link-layer addresses from valid addresses.
  • The YES search makes it easier to enumerate network devices, which is important for many reasons, including better IT support, as well as tracking potential vulnerabilities.
  • Users can identify specialized network devices, such as routers or Wi-Fi access points, by retrieving OUI provider information.
  • The YES search can be used to identify otherwise hidden devices, such as wireless cameras or other surveillance devices that have been improperly or unknowingly installed in a location.

Wireshark users can access OUI lookup information gathered during packet captures and use OUI addresses to filter traffic to and from specific addresses. Similarly, using the Wireshark OUI search web page allows security professionals to access the database from a smartphone browser.