MAC finder script

While I don't like going down to Layer 2 , recently I had to do it - I didn't know IP address of the Cisco router I wanted to connect to but I had access to the Cisco router sitting in the same network. That would be pretty easy to do #show arp on this router and then search on Google to whom belongs each MAC if it wasn't the subnet mask of /26. Copy pasting each entry of the ARP table into Google didn't look like a lot of fun. So I wrote a python script that reads MAC addresses in bulk from command line and using downloaded beforehand database of MAC-vendor translations prints vendor for each MAC address. It works for #show arp on CIsco,#show mac-address-table on Cisco switches, #arp -en on Linux (means including Checkpoint), #arp -a on Freebsd ,#show arp of Junos from Juniper, #get sys arp on Fortigate.
Below is the script.
mac-database.txt - file containing MAC-vendor translation in format "MAC 6 hex digits as a sequence" "VENDOR", I used as the source with a bit of sed, but if you want ready to use file I recommend nmap-mac-prefixes from nmap source-code distribution Download script (to make sure formatting is preserved, an important thing for Python)
Script AND mac database from nmap project -

    #This script accepts MAC addresses from the command line and
    #prints vendor for each mac address
    # Author:Yuri,,06.2010
    import sys
    import re
    #This function removes from MACs colon or dot and returns MAC as a sequence of HEX chars
    def dotreplace(matchobj):
             if == '.':
                    return ''
             elif == ':':
                    return ''
    #open file with MAC addresses and vendors database,it has form xxxx <Vendor>
    #Read from stdinput
    data = sys.stdin.readlines()
    for ppp in data:
           if popa:
                 newpopa=re.sub('\.', dotreplace,[0:6]
                 for mac_db in macs_lines:
                     if vendor:
                        print ppp.strip(),mac_db[7:]
           popalinux ='.*([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}).*',ppp,re.IGNORECASE)
           if popalinux:
                 for mac_db in macs_lines:
                     if vendor:
                        print ppp.strip(),mac_db[7:]

           popadash ='.*([a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}).*',ppp,re.IGNORECASE)
           if popadash:
                 for mac_db in macs_lines:
                     if vendor:
                        print ppp.strip(),mac_db[7:]

Running it:

[root@darkstar ]#./

Now I copy paste output from arp -a in BSD:

$ arp -a  

( at 00:50:56:95:74:72 on em0 [ethernet]  
 ( at 00:09:0f:31:c8:24  on em0 [ethernet]  
<Hit CTRL+D to signal the end of input>  
 ( at 00:50:56:95:74:72 on em0 [ethernet] VMware, Inc.  
 ( at 00:09:0f:31:c8:24 on em0 [ethernet] Fortinet Inc.

Follow me on not to miss what I publish on Linkedin, Github, blog, and more.