We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now


How to get client's MAC address by which it connects to server

wcleung9 asked
Medium Priority
Last Modified: 2010-05-18
We have a Java web service, running on WebSphere. A Java client is installed on every client PC (Windows 2000 or Windows 2003) to do the connection, through SSL.

Now we want to authenticate clients by their MAC address. As we have a thick client installed on client side, I know we can easily get client's MAC address by simple "ipconfig /all" or WMI scripting. (But I don't know a pure Java way. If anyone does, it's appreciated too.)

However, we consider the possibility that a client PC may have more than 1 LAN cards. What we want is, during each single connection, to get the MAC address of the LAN card by which the client uses to connect to server. I wonder if this is possible?
Watch Question

Top Expert 2014

I would suggest that you pick another method of authentication.  Server and client side certificate authentication.  Do self signed client side certificates based on each PC.   Validate the certificate when the client connects.  If you want to cut of a specific PC, then you just remove its certificate from your keyring file.

In addition to having a client with more that one NIC, you also have the problem of them replacing the NIC if it dies.  What happens if a client uses more that one computer?

How are you going to populate your database you validate against?  Is the user going to have to tell you his MAC address?

And don't forget about MAC spoofing...


Actually, client side certificate authentication is the approach we are currently using.

An incident happened was that, an unfaithful user produced a backup image of his PC's harddisk content, and gave the image to a 3rd party. That 3rd party then successfully connected to our web service, just because they had the certificate. So we learnt that digital certificate is a mere file, which can be easily copied.

That's why we came up with the MAC address approach. We searched Google and read through many discussions about this topic. We fully understand the drawbacks: user's MAC address changes, when he replaces the NIC, or when he uses another computer. So yes, we will require users to submit their MAC addresses to us, everytime after they changed it. We would rather sacrifice users' convenience so as to make the mechanism more secured.

Well, this MAC address approach is more pratical in our case than usual because:
1. each user uses 1 and only 1 computer as client PC to connect to our web service.
2. users rarely change the hardware components of their client PC, at most once or twice per year.
3. users rarely change to use another computer as client PC, at most once every 3 to 4 years.
4. users are obligated to use the web service, no matter they think it's convenient or not.
Top Expert 2014

Was the client side certificate user based?  It sounds like it.  You need one that is based on the users IP address, that is machine based.  As long as each user has a static IP address, you are fine.


yeah MAC spoofing would be a problem......

In fact we wanted to use more hardware info. However, not much hardware info is as unique as MAC address.

We wondered if CPU has something like an unique serial no., but then learnt that Intel was forced to remove such "fingerprint" from their products due to privacy issue.

Some suggested to use hard drive's volume label. Then others said that, although it is supposed to be randomly generated, it is actually not that random.
Top Expert 2014


This is a link to some Java code that is supposed to be able to get the MAC and IP address.

Some CPU's have a unique serial no. but there is a way to disable this from being presented and I beleive that most systems now ship with this disabled.

There is not a whole lot that is unqiue to a PC that can't be changed, hidden, or is copied over when doing some sort of disk copy.

If the desktops have static IP addresses, you may be able to use a combination of:

     the IP address that your server sees
     the MAC address of the computer
     the IP address of the computer

In the situation you described above, the only way the computer running the copy of the software would have worked is if it was behind the same firewall/proxy server as the original and the original computer was turned off, and they had spoofed the MAC address.  If they are going to that much trouble, they there is not a whole lot you can do to preven them from getting in.


thx for the link. It might come in handy~

Actually we had considered all the 3 info you mentioned (though not considered the combination of them).
MAC address is the info we chose to use.
For the "IP address the server sees", i.e. the public IP of the client, yes, the clients have fixed public IP. But I heard that (I haven't dug into the code yet) our web service mechanism, XML-RPC, has difficulty in obtaining that info. Please correct me if this is wrong.
Since we can't get the fixed public IP, getting the internal IP becomes meaningless.

I agree that if we can use this combination for authentication, it's secured enough for our needs.

Well, apart from the discussion about the authentication means, just want to ask again: any method to get client's MAC address by which it connects to server?
Top Expert 2014
I know that WebSphere knows the IP address that the client connects to it with. So it should just be a matter of passing this as a parameter to your application when it is launched.

If a client has more than one MAC address you will not be able to see which one it connects to you with.  In order to do that you have to "see" the whole path to the client.  In fact you really should not care what mac access the client is using, as long as it has one that you know about.

Some PC's today are setup with mutliple NIC (thus multiple MAC's) and have dynamic pathing setup so that if a path via one NIC does not work  it will try a path using the other NIC.  Do you really care which one it uses?

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
Something else that came to mind once I started dealing with some issues at work was your privacy policy.  Depending on how your service works IE6+ might block anything that gets personally identifiable information unless you have a specific P3P header that is allowed by the browser, especially if you use cookies in any way.

As far as Java code goes try this:
Also Check out http://forum.java.sun.com/thread.jspa?threadID=245711

public class ARPTable {        

    private Map addressArray =  Collections.synchronizedMap( new HashMap() );

        public void updateARPTable() {
        Matcher a = this.getARPResult();
        while (a.find()){
            String s = a.group();
            String[] ss = s.split(" ");
            String ip = "", mac = "";
            for (int i=0;i<ss.length;i++){
                if (ss[i].matches("\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}"))
                    ip = ss[i];
                if (ss[i].matches("[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}"))
                    mac = ss[i];
            addressArray.put( ip, mac);


    private Matcher getARPResult() {

        Process p =  null;
        try {
            //TODO: &#1057;&#1076;&#1077;&#1083;&#1072;&#1090;&#1100; &#1087;&#1088;&#1086;&#1074;&#1077;&#1088;&#1082;&#1091; &#1076;&#1083;&#1103; &#1054;&#1057;
              p = Runtime.getRuntime().exec("arp -a");
        catch(java.io.IOException e)

        BufferedReader in =
                new BufferedReader(
                     new InputStreamReader(p.getInputStream())
        String output=null,currentLine = null;

        try {
            while ( (currentLine = in.readLine() ) != null)
        catch(java.io.IOException e) {

        String spat = "\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\s*[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}\\-[\\da-zA-Z]{1,2}";
        Pattern arpPattern = Pattern.compile(spat);
        Matcher arpM = arpPattern.matcher( output );

        return arpM;
    public String getMAC(String ip){
        Object o = this.addressArray.get( ip );
        return ( o != null)? (String)o: "";        

[REF: http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4143901 ]
You may also want to check out this post:
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.