Yuri Slobodyanyuk's blog on IT Security and Networking sharing experience and expertise

MAC finder script

While I don’t like going down to Layer 2 , recently I had to do it – I didn’t know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn’t the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn’t look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on CIsco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
mac-database.txt – file containing MAC-vendor translation in format <MAC 6 hex digits as a sequence> <VENDOR>, I used standards.ieee.org/regauth/oui/oui.txt as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution http://nmap.org/svn/nmap-mac-prefixes
Download script (to make sure formatting is preserved, an important thing for Python)
Script AND mac database from nmap project – http://yurisk.info/scripts/mac.tar.gz

#This script accepts MAC addresses from the command line and
#prints vendor for each mac address
# Author:Yuri, yurisk@yurisk.info,06.2010
import sys
import re
#This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
def dotreplace(matchobj):
         if matchobj.group(0) == '.':
                return ''
         elif  matchobj.group(0) == ':':
                return ''
#open file with MAC addresses and vendors database,it has form xxxx <Vendor>
#Read from stdinput
data = sys.stdin.readlines()
for ppp in data:
       if popa:
             newpopa=re.sub('\.', dotreplace,popa.group(1))[0:6]
             for mac_db in macs_lines:
                 if vendor:
                    print ppp.strip(),mac_db[7:]
       popalinux = re.search('.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popalinux:
             for mac_db in macs_lines:
                 if vendor:
                    print ppp.strip(),mac_db[7:]

       popadash = re.search('.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
       if popadash:
             for mac_db in macs_lines:
                 if vendor:
                    print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]# ./mac-finder.py
<now I copy paste output from arp -a in BSD>
$ arp -a
( at 00:50:56:95:74:72 on em0 [ethernet]
( at 00:09:0f:31:c8:24 on em0 [ethernet]
<Hit CTRL+D to signal the end of input>
( at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.
( at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.


  1. Cool script.
    For similar needs, I usually grep into “/usr/share/wireshark/manuf”. It’s wireshark’s own MAC “database”, complete and readily available on any machine where the packet analyzer is installed.



  2. Yuri

    July 5, 2010 at 3:23 pm

    Thanks Giuliano for the pointer, for a single MAC I also will use whatever is more available – Google being the winner for me, but when it gets to finding 10,20,20 MACs it gets real ugly without automation.

Comments are closed.

© 2016 yurisk.info

Theme by Anders NorenUp ↑