Help understanding Attempting to create AWDL interface for en0 in wifi logs

mac network wifi

Creating a virtual interface just means that the computer internally refers to something by one name which is really physically backed by something with a different name.

For example you might have a physical Ethernet interface in your computer, and then you create a virtual interface for a VPN connection. The data is really transferred over the physical interface, but you refer to the virtual name so that the system knows that the data destined there is going to be encrypted and encapsulated before being sent on the physical network.

The AWDL interface you have logged here could have been used for for example AirDrop, AirPlay or some form of Continuity. It is for example possible to AirDrop and AirPlay without being connected to an existing, specific WiFi network. Instead a direct connection is created using an Apple protocol over this “virtual interface”.

Regarding the creation of the MAC address - this is not something you should worry about. It is perfectly normal for macOS to create randomized MAC addresses in order to prevent you from being unwillingly tracked by others.

You can read more about where and when Apple employs MAC randomisation here.

You can distinguish such a locally generated, randomised MAC because the 2nd least significant bit of the first byte is a one. This means that the MAC address is locally generated, and as such holds no intrinsic "meaning". If you look at the hexadecimal representation of a MAC address, this means that the second character of the address must be either 2, 6, A or E for an ordinary WiFi interface. An interface used for multicasting can have a 3, 7, B or F instead.

This is different from MACs that have the 2nd least significant bit of the first byte set to one. Those MAC addresses starts with a vendor ID that allows you to lookup whom manufactured the hardware. The second character of the hexadecimal representation of the address then is either 0, 4, 8 or C for a unicast MAC, and 1, 5, 9 or D for multicasting.

You did not include the actual MAC address you see on your system, as it was redacted from your logs - but you can check with the above mentioned system whether or not the MAC address you're seeing is actually a randomised, locally generated one or not.

The other part you were concerned about was not being able to find the interface in the list of interface you find with ifconfig. You can generate a full list of interfaces using this command:

ifconfig -l

You'll find the awdl0 interface in there. As indicated in your comments, you had a concern that this listing did not show the same MAC address as your log snippet. This is actually not a problem and completely normal.

The MAC address listed by ifconfig is typically the physical MAC. In practice it is often an address stored in an EEPROM chip on network interface during manufacturing. Note that the contents of an EEPROM can be changed, so it is still something that can be changed, if you would like.

However, MAC address randomisation happens quite often (i.e. often when you connect to a new network SSID, every 24 hours or similar). For this purpose it doesn't make sense to change the "burned in" value in the EEPROM. Also your system can actually be using multiple randomised MAC addresses at the same time (for example if you're connecting to an infrastructure access point at the same time AirDrop'ping while AirPlay'ing).

The actual MAC address randomisation thus happens on a slightly different layer. It is so that when a packet goes out on the network, the operating system can typically with most types of interfaces completely decide which MAC address is listed in the header - it doesn't have to be the physical address.

This means that it is perfectly normal for ifconfig to show one MAC address while a different MAC address is actually using for packets going out on the awdl0 interface - and thus also for logging awdl0 related debug messages.

Indeed if you look closer at the ifconfig interface list, you'll typically also find an interface named llw0. This is the low-latency WiFi interface - a virtual interface similar to the awdl0 interface. It will show the same MAC address as the awdl0 interface, as it the physical MAC of the WiFi interface that is shown. MAC address randomisation for awdl0 does not apply to llw0, so they can communicate with different MAC addresses at the same time.


Apple AWDL is a proprietary undocumented IEEE 802.11 based ad hoc protocol. Apple uses it for Airdrop and AirPlay and perhaps even FindMy AirTag tracking (uses UWB radio not AWDL virtual interface). When you see the virtual AWDL0 interface that is what it is doing. Apple products are peer-to-peer talking to each other using this protocol.

If you are interested, there's a fascinating paper written by a few researchers who reverse engineered things in 2018 and documented their findings. I found that one of the co-authors of this paper posted the link to Stack Exchange previously. https://arxiv.org/abs/1808.03156

Virtual interfaces typically change MAC / Physical Addresses when they are created. That's why the Physical Address (MAC) changes all the time. I have an AWDL0 interface on my Mac that's not currently connected to anything but its there with a unique Physical Address (MAC). Same thing happens with most VPN virtual interfaces. The Physical Address (MAC) is generated on the fly because the device is not actually a physical device. You can actually change your Physical Address (MAC) if you wish to. It's called MAC Address Spoofing.

Change the address to aa:bb:cc:dd:ee:ff for en0 interface:

sudo ifconfig en0 ether aa:bb:cc:dd:ee:ff

Set a random physical address:

openssl rand -hex 6 | sed 's/\(..\)/\1:/g; s/.$//' | xargs sudo ifconfig en0 ether

Virtual interfaces change Physical Addresses (MAC) all the time. They would do it via programming code and not so much a command line ifconfig entry.

Addition: Not suggesting one should change their Physical Address (MAC) just that you can indeed change it. Yes, Apple has been randomizing the Physical Address (MAC) as of late. That was done for security reasons on iOS devices especially but also Macs. Apparently, Edward Snowden claimed the NSA was tracking movement of mobile devices via the MAC address. Other companies started randomizing their MAC Addresses as a result. Google has been doing it with Android since 6.0. Windows 10 and even Linux kernel 3.18 and above.

Changing a Physical Address (MAC) can cause confusion as the first three bytes (6 characters) defines the manufacturer. This could potentially cause an employer's IT security to become concerned and block a device from the corporate network.

Sometimes a Physical Address (MAC) might be hardcoded to a particular system and changing it can break connectivity. But this is a small edge case scenario.

Related

Mac OS Big Sur | kernal_task usage is 500% when connected to external monitor
Why are some Firefox windows not cycling through the entire list of windows I have open?
Photos using a space of ~2GB but there is nothing in the photos app
How do I download all iCloud Drive files to external hard drive using MS Windows?
Automatically turn iPhone sound off after a certain duration
How can I copy Music library from one Mac to another
Does TechTool Pro do anything that Disk Utility doesn't?
How can the 'Open File...' dialog window be made larger, by default?
third party hdmi to vga adapter does not work [closed]
How to enable Huawei Health app options for iOS that exist for Android?
Can I recover lost data after formatting Mac HD?
Cannot install Windows 7 on 2007 iMac