I wanted to chime in about this.
It's pretty easy, I'd say trivial to see if its the same device if you
where to look at an example of what network logs or dhcp logging may
look like:
```
| Time | Source MAC | Hostname | Destination MAC
| Protocol | Source Port | Destination Port | Length | Info
| Client IP |
|----------------|---------------------|------------|----------------------|----------|-------------|------------------|--------|--------------------------------|-------------------|
| 11:47:12.654 | 88:12:4e:5a:db:4c | | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.100? | 192.168.1.100 |
| 11:47:13.987 | 98:10:e8:64:55:da | Iphone16 | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.101? | 192.168.1.101 |
| 11:47:15.320 | 00:04:23:a2:8c:fb | Windows11 | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.102? | 192.168.1.102 |
| 11:47:16.653 | 88:12:4e:b4:36:4c | | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.103? | 192.168.1.103 |
| 11:47:18.986 | 88:12:4e:0a:16:a5 | | 00:25:86:df:9a:5e
| ARP | - | - | 42 | Who has
192.168.1.104? | 192.168.1.104 |
| 11:47:20.319 | 00:b3:62:96:a2:4d | JohnsPhone | 00:d0:e1:12:f6:ee
| TCP | 54321 | 80 | 1500 | HTTP GET
/index.html | 192.168.1.50 |
| 11:47:21.652 | 88:12:4e:fb:27:e9 | | 7c:1b:4d:22:8e:ef
| UDP | 12345 | 12345 | 100 | DNS Query
| 192.168.1.120 |
| 11:47:22.985 | 88:12:4e:d3:5f:e0 | | 40:61:86:2e:8f:9c
| ICMP | - | - | 56 | Echo Request
| 192.168.1.130 |
| 11:47:24.318 | 98:10:e8:64:55:da | Iphone16 | 34:21:9d:81:5f:4c
| TCP | 80 | 54321 | 1200 | HTTP Response
| 192.168.1.150 |
| 11:47:25.651 | 88:12:4e:1a:0e:0e | | 50:7b:9d:12:34:56
| ARP | - | - | 42 | Who has
192.168.1.105? | 192.168.1.105 |
| 11:47:27.984 | 00:04:23:a2:8c:fb | Windows11 | 60:1e:5c:3a:2b:4d
| ARP | - | - | 42 | Who has
192.168.1.106? | 192.168.1.106 |
```
All one has to do is look for devices with the same OUI in the MAC
address and no hostname...
(Bellow is the table in html if above doesn't format correctly in the email)
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Network Traffic</title>
<style type="text/css">
body {
margin: 0;
padding: 0;
font-family: Arial, sans-serif;
}
table {
width: 100%;
border-collapse: collapse;
margin: 20px 0;
}
th, td {
padding: 12px;
border: 1px solid #ddd;
text-align: left;
}
th {
background-color: #f0f0f0;
}
</style>
</head>
<body>
<table>
<tr>
<th>Time</th>
<th>Source MAC</th>
<th>Hostname</th>
<th>Destination MAC</th>
<th>Protocol</th>
<th>Source Port</th>
<th>Destination Port</th>
<th>Length</th>
<th>Info</th>
<th>Client IP</th>
</tr>
<tr>
<td>11:47:12.654</td>
<td>88:12:4e:5a:db:4c</td>
<td></td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.100?</td>
<td>192.168.1.100</td>
</tr>
<tr>
<td>11:47:13.987</td>
<td>98:10:e8:64:55:da</td>
<td>Iphone16</td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.101?</td>
<td>192.168.1.101</td>
</tr>
<tr>
<td>11:47:15.320</td>
<td>00:04:23:a2:8c:fb</td>
<td>Windows11</td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.102?</td>
<td>192.168.1.102</td>
</tr>
<tr>
<td>11:47:16.653</td>
<td>88:12:4e:b4:36:4c</td>
<td></td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.103?</td>
<td>192.168.1.103</td>
</tr>
<tr>
<td>11:47:18.986</td>
<td>88:12:4e:0a:16:a5</td>
<td></td>
<td>00:25:86:df:9a:5e</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.104?</td>
<td>192.168.1.104</td>
</tr>
<tr>
<td>11:47:20.319</td>
<td>00:b3:62:96:a2:4d</td>
<td>JohnsPhone</td>
<td>00:d0:e1:12:f6:ee</td>
<td>TCP</td>
<td>54321</td>
<td>80</td>
<td>1500</td>
<td>HTTP GET /index.html</td>
<td>192.168.1.50</td>
</tr>
<tr>
<td>11:47:21.652</td>
<td>88:12:4e:fb:27:e9</td>
<td></td>
<td>7c:1b:4d:22:8e:ef</td>
<td>UDP</td>
<td>12345</td>
<td>12345</td>
<td>100</td>
<td>DNS Query</td>
<td>192.168.1.120</td>
</tr>
<tr>
<td>11:47:22.985</td>
<td>88:12:4e:d3:5f:e0</td>
<td></td>
<td>40:61:86:2e:8f:9c</td>
<td>ICMP</td>
<td>-</td>
<td>-</td>
<td>56</td>
<td>Echo Request</td>
<td>192.168.1.130</td>
</tr>
<tr>
<td>11:47:24.318</td>
<td>98:10:e8:64:55:da</td>
<td>Iphone16</td>
<td>34:21:9d:81:5f:4c</td>
<td>TCP</td>
<td>80</td>
<td>54321</td>
<td>1200</td>
<td>HTTP Response</td>
<td>192.168.1.150</td>
</tr>
<tr>
<td>11:47:25.651</td>
<td>88:12:4e:1a:0e:0e</td>
<td></td>
<td>50:7b:9d:12:34:56</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.105?</td>
<td>192.168.1.105</td>
</tr>
<tr>
<td>11:47:27.984</td>
<td>00:04:23:a2:8c:fb</td>
<td>Windows11</td>
<td>60:1e:5c:3a:2b:4d</td>
<td>ARP</td>
<td>-</td>
<td>-</td>
<td>42</td>
<td>Who has 192.168.1.106?</td>
<td>192.168.1.106</td>
</tr>
</table>
</body>
</html>
On 6/16/25 08:07, intrigeri wrote:
> Hi,
>
> Joe via Tails-dev (2025-06-15):
>> I hope this message finds you well. I am writing to bring to your attention an important consideration regarding the MAC spoofing feature in Tails. The existing MAC spoofing feature in Tails OS is a step in the right direction, as it checks for NIC existence and retries if necessary, treating the NIC as a unique identifier for WiFi cards. While the current implementation effectively changes the NIC part of the MAC address, it leaves the OUI (Organizationally Unique Identifier) exposed, which can potentially compromise user anonymity.
>
> Thanks!
>
> Can you please make sure you're up-to-date with the current state of
> your plans (https://gitlab.tails.boum.org/tails/tails/-/issues/7038)
> and check what your proposal brings on top of this?
>
> Cheers,