MAC (Media Access Control)

Finjan TeamBlog, Network Security

Finjan MAC (Media Access Control)

Telecommunications and old-school postal systems use a hierarchy of identifying characteristics (number, exchange, zip or area code, state or country code, etc.) to break the process of transmitting messages into manageable steps, each of which may be handled by mechanisms appropriate to a given stage (mailbox, local sorting office, etc.).

The same holds true for network and internet communications, where part of the hierarchy of identifying traits is provided by MAC, or Media Access Control.

MAC Address – Unique Identifiers

In a LAN (Local Area Network) or other type of network such as the internet, a Media Access Control or MAC address serves as a unique identifier for each piece of hardware. The MAC protocol provides a channel of access and an addressing mechanism, so that each available node on the network may communicate with other nodes which are available – either on the same network, or on others.

MAC addresses are sometimes known as physical addresses or hardware addresses, and are set by hardware manufacturers to uniquely identify their devices. A traditional MAC address is a twelve-digit hexadecimal number, 48 bits or six bytes long, written in one of the following manners:


The string of “M”s on the left (six digits, or 24 bits) is called a prefix, and is associated with the device manufacturer. The IEEE standards authority issues a given set of MAC prefixes to each vendor that registers with it. These may be assigned to the various products making up their range of hardware.

The “S” digits on the right give the identification number associated with a specific device. Each piece of hardware manufactured by a given vendor (and operating under a given MAC prefix) has its own unique 24-bit number. But as different vendors are issued with different MAC prefixes, it’s possible for devices originating from different manufactures to use the same sequence of “S” digits in their MAC address, without confusing the system.

Some wireless home automation networks defined by IEEE 802.15.4 require hardware devices to be configured with MAC addresses of 64 bits, rather than 48.

The MAC Layer

In telecommunication protocols, MAC addresses are used by the Media Access Control sub-layer of the Data Link Control (DLC) layer, which is the protocol layer of a program that handles the flow of data moving in and out over physical links in the network. Each type of physical device has a different MAC sub-layer.

Media Access Control is itself a sub-layer of the Data Link Layer (DLL) defined within the seven-layer OSI (Open Systems Interconnection) network reference model. MAC assumes responsibility for transmitting data packets to and from a network interface card, or to and from other remotely shared channels.

Origins in Ethernet

Media Access Control has its roots in network computing under the Ethernet protocol, where it provides the data link layer for LAN systems. MAC encapsulates payload data by adding Protocol Control Information (PCI) as a 14-byte header before the information, and adding a checksum for integrity checking.

The Preamble

Before data transmission, there’s a short idle time of 9.6 microseconds (µS) to allow for the receiver circuitry in each node to settle after completion of the previous transmission frame. A special pattern (binary 11) is used to mark the last two bits of the preamble. Once this is received, the Ethernet receive interface begins gathering the bits into bytes for processing by the MAC layer.

The MAC Header

The MAC header consists of three parts:

  1. A six-byte destination address, specifying a single recipient node (unicast mode), several nodes (multicast), or the set of all recipient nodes (broadcast mode).
  2. A six-byte source address, set to the sender’s unique node address.
  3. A two-byte type field, providing a Service Access Point (SAP) which identifies the type of protocol being carried.

The Checksum (CRC)

Sometimes referred to as a as a Frame Check Sequence, the Cyclic Redundancy Check or CRC is a 32-bit checksum calculated to provide error detection in the case of Ethernet transmission collisions or line errors which could corrupt the MAC frame. Any frame returning an invalid CRC is rejected by the MAC frame, without processing.

The Inter-Frame Gap

The Inter-Frame Gap or IFG is the period of 9.6 microseconds (at 10 Mbps) that a transmitter must wait between sending frames, to allow for signal propagation at the receiver end. This is the same period as the preamble at the start of a transmission.


Carrier Sense Multiple Access (CSMA) with Collision Detection (CD) protocol regulates access to shared Ethernet media.

Runt Frames

Any received frame having less than 64 bytes is known as a runt – and is considered illegitimate. Runt frames typically arise from data collision, and are discarded by the receiver.

Giant Frames

A received frame which is larger than the maximum designated size is referred to as a giant. These may stem from failures or imperfections in the network’s physical layer, and are also discarded.

Jumbo Frames

Some Gigabit Ethernet NICs (Network Interface Cards) support frames in excess of the 1500 bytes specified by the IEEE standard. This mode of transmission requires both ends of the communication link to support these jumbo frames.

The Issue with Frames

As mentioned earlier, the maximum size of a data packet which may be carried in a MAC frame using Ethernet is 1500 bytes. This limit is known as the MTU, under Internet Protocol or IP.

Ethernet also requires a minimum frame size of 46 bytes for every MAC frame. If the network layer wishes to transmit less than this, the MAC protocol adds a set of null padding characters (zero bytes, or 0x00) to make up the difference.

Address Resolution Protocol (ARP)

The Address Resolution Protocol or ARP is used to establish the MAC source address of remote computers whenever IP is used over an Ethernet LAN. In turn, IP networks use ARP to manage the conversion between IP and MAC addresses. And the unique assignment of IP addresses to various devices is managed by the Dynamic Host Configuration Protocol (DHCP), in conjunction with ARP.


TCP/IP networks use both IP and MAC addresses. A MAC address will remain fixed to a hardware device, but the IP address may alter dynamically in accordance with its TCP/IP network configuration.

In the OSI model, Internet Protocol operates at Layer 3, while the MAC protocol works at Layer 2. Media Access Control is able to support other networks besides TCP/IP, for this reason.

Cloning of MAC Addresses

Some ISPs (Internet Service Providers) map each of their residential customer accounts to the MAC address of their home network router or gateway device. If the customer installs a new router, the address seen by the provider will change – with the ISP seeing a different MAC address. This can lead to blocking or revocation of the account.

This situation can be avoided through a process called “cloning” whereby a router or gateway may be configured to continue reporting the same MAC address to the provider, even if the new hardware has a different identifier. Otherwise, customers need to contact their ISP to register the new device.

Share this Post

Finjan MAC (Media Access Control)
Article Name
The MAC Address (Media Access Control) and its Role in Communications
In a Local Area Network (or other network such as the internet), a Media Access Control or MAC address serves as a unique identifier for each piece of hardware.
Publisher Name
Publisher Logo