While troubleshooting a wireless issue, I mentioned offhand to another engineer that a particular MAC address was private. They immediately asked me “How did you know just by looking at it?”
I said “Look at the second least significant bit of the most significant byte,” but quickly realized that needed a bit more explanation.
“Private” MAC addresses, at least as implemented by Apple and Android, sets the locally-administered bit for their randomized addresses. RFC7042 section 2.1 specifies the “Local bit”:
The Local bit is zero for globally unique EUI-48 identifiers assigned by the owner of an OUI or owner of a longer prefix. If the Local bit is a one, the identifier has been considered by IEEE 802 to be a local identifier under the control of the local network administrator […]
This is the 02 bit of the first octet in the MAC. If it is set, this
is a locally-administered address. Essentially, if the second hex digit
is 2, 6, A, or E, it is a private MAC.
- x2:xx:xx:xx:xx:xx
- x6:xx:xx:xx:xx:xx
- xA:xx:xx:xx:xx:xx
- xE:xx:xx:xx:xx:xx
What about MAC addresses with the next bit set, such as when the first
octet is 03 or 07? Those still have the local bit set. Yes,
but the 01 bit is the unicast/multicast bit (individual/group, I/G
bit). We seldom see use of locally-administered multicast
layer 2 addresses, so can be ignored for the purposes of “private MAC
addresses”.