I was analyzing a database of probe requests until I found the following packet which has 3 different vendor specific fields. How to interpret that ?
RadioTap version=0 pad=0 len=24 present=Flags+Rate+Channel+dBm_AntSignal+RXFlags+RadiotapNS+Ext Ext=[<RadioTapExtendedPresenceMask present=b5+b11 |>] Flags= Rate=1.0 Mbps ChannelFrequency=2452 ChannelFlags=CCK+2GHz dBm_AntSignal=-65 dBm RXFlags= notdecoded='\\xbf\x00' |<Dot11 subtype=Probe Request type=Management proto=0 FCfield= ID=0 addr1=ff:ff:ff:ff:ff:ff (RA=DA) addr2=9e:1e:21:eb:55:c0 (TA=SA) addr3=ff:ff:ff:ff:ff:ff (BSSID/STA) SC=56976 |<Dot11ProbeReq |<Dot11Elt ID=SSID len=0 info='' |<Dot11EltRates ID=Supported Rates len=4 rates=[1.0 Mbps, 2.0 Mbps, 5.5 Mbps, 11.0 Mbps] |<Dot11EltRates ID=Extended Supported Rates len=8 rates=[6.0 Mbps, 9.0 Mbps, 12.0 Mbps, 18.0 Mbps, 24.0 Mbps, 36.0 Mbps, 48.0 Mbps, 54.0 Mbps] |<Dot11EltDSSSet ID=DSSS Set len=1 channel=9 |<Dot11EltHTCapabilities ID=HT Capabilities len=26 L_SIG_TXOP_Protection=0 Forty_Mhz_Intolerant=1 PSMP=0 DSSS_CCK=0 Max_A_MSDU=3839 o Delayed_BlockAck=0 Rx_STBC=0 Tx_STBC=0 Short_GI_40Mhz=0 Short_GI_20Mhz=1 Green_Field=0 SM_Power_Save=disabled Supported_Channel_Width=20Mhz LDPC_Coding_Capability=1 res1=0 Min_MPDCU_Start_Spacing=6 Max_A_MPDU_Length_Exponent=3 res2=0 TX_Unequal_Modulation=0 TX_Max_Spatial_Streams=0 TX_RX_MCS_Set_Not_Equal=0 TX_MCS_Set_Defined=0 res3=0 RX_Highest_Supported_Data_Rate=0 res4=0 RX_MSC_Bitmask=255 res5=0 RD_Responder=0 HTC_HT_Support=0 MCS_Feedback=0 res6=0 PCO_Transition_Time=0 PCO=0 res7=0 Channel_Estimation_Capability=0 CSI_max_n_Rows_Beamformer_Supported=0 Compressed_Steering_n_Beamformer_Antennas_Supported=0 Noncompressed_Steering_n_Beamformer_Antennas_Supported=0 CSI_n_Beamformer_Antennas_Supported=0 Minimal_Grouping=0 Explicit_Compressed_Beamforming_Feedback=0 Explicit_Noncompressed_Beamforming_Feedback=0 Explicit_Transmit_Beamforming_CSI_Feedback=0 Explicit_Compressed_Steering=0 Explicit_Noncompressed_Steering=0 Explicit_CSI_Transmit_Beamforming=0 Calibration=0 Implicit_Trasmit_Beamforming=0 Transmit_NDP=0 Receive_NDP=0 Transmit_Staggered_Sounding=0 Receive_Staggered_Sounding=0 Implicit_Transmit_Beamforming_Receiving=0 ASEL= |<Dot11Elt ID=Extendend Capabilities len=8 info='\x00\x00\x08\\x84\x00\x00\x00@' |<Dot11Elt ID=Interworking len=7 info='\x0f\\xff\\xff\\xff\\xff\\xff\\xff' |<Dot11Elt ID=255 len=28 info='#\x01\x08\x08\x00\x00\\x80\x000\x02\x00\r\x00\\x9f\x00\x00\x00\x00\\xfd\\xff\\xfd\\xff9\x1c\\xc7q\x1c\x07' |<Dot11EltVendorSpecific ID=Vendor Specific len=11 oui=Apple, Inc. (00:17:f2) info='\n\x00\x01\x04\x00\x00\x00\x00' |<Dot11EltVendorSpecific ID=Vendor Specific len=7 oui=Microsoft Corp. (00:50:f2) info='\x08\x00\x11\x00' |<Dot11EltVendorSpecific ID=Vendor Specific len=9 oui=Broadcom (00:10:18) info='\x02\x00\x00\x10\x00\x00' |>>>>>>>>>>>>>>
The only MAC addresses I can see in this frame are addr1 (broadcast), addr2 (9e:1e:21:eb:55:c0), and addr3 (broadcast). None of them belong to Apple, Inc. (00:17:f2), Microsoft Corp. (00:50:f2), or Broadcom (00:10:18). Am I missing something?
In your question it is not clear if you are looking for a mac address or the information element Vendor Specific.
The MAC addresses you are talking about are:
addr1: destination mac address. It is broadcast because in a probe request you are looking for Access Points, so anybody can receive it.
addr2: source mac address. It is the mac address of the sender. In this case, if you translate it from exadecimal to binary you obtain 1001 1110 : 0001 1110 : 0010 0001 : 1110 1011 : 0101 0101 : 1100 0000 Your seventh bit is 1, so the mac address is randomised (locally administred) and you cannot calculate the vendor from here. More info about mac address randomisation can be faound here: enter link description here.
addr3: SSID mac address. If the device is connected to an Access Point, there will be the AP mac address.
If you are talking about the Vendor-Specific element (221 Information Element), I can say that they are non standardized fields.
In your example you have:
"<Dot11EltVendorSpecific ID=Vendor Specific len=11 oui=Apple, Inc. (00:17:f2) info='\n\x00\x01\x04\x00\x00\x00\x00' |<Dot11EltVendorSpecific ID=Vendor Specific len=7 oui=Microsoft Corp. (00:50:f2) info='\x08\x00\x11\x00' |<Dot11EltVendorSpecific ID=Vendor Specific len=9 oui=Broadcom (00:10:18) info='\x02\x00\x00\x10\x00\x00' |"
As far as I know, the oui defines the format that is used for these fields. There can be multiple Vendor Specific fields, and the oui is useful for their decoding, since every vendor defined its own structure of this field. However, it is strange that you have vendor-specific fields from different vendors. Probably it is related to compatibility issues.