Tuesday, April 27, 2010

Update MAC Address<-->Manufacturer Tables

If you've ever used nmap or arpwatch, you've probably experienced the forensic benefit of correlating a MAC broadcast address to the manufacturer of the broadcasting NIC. If you've even encountered a manufacturer labeled "Unknown" with either of the above sniffers, this post is for you.

We installed arpwatch on our network late last week and discovered that the MAC<->Manufacturer table was a few years out of date. We were able to convert nmap's table to arpwatch's format, but still ended up with a slightly-out-of-date table.

The following script gets the current data from IEEE and formats it for nmap and arpwatch:

# update_mac_addresses.sh
# This script downloads the currect mac address data from the IEEE and parses it for nmap and arpwatch.
# nmap-mac-prefixes is for nmap.
# ethercodes.dat is arpwatch.

# Download the current data

wget http://standards.ieee.org/regauth/oui/oui.txt

# Divide the data into Manufacturer and Address files
cat oui.txt | grep '(base 16)' | cut -f3 > mac.manufacturer
cat oui.txt | grep '(base 16)' | cut -f1 -d' ' > mac.address

# Paste them back together for nmap data

paste mac.address mac.manufacturer > nmap-mac-prefixes

# Parse the address data for arpwatch
cat mac.address | perl -pe 's/^(([^0].)|0(.))(([^0].)|0(.))(([^0].)|0(.))/\2\3:\5\6:\8\9/' > tmp.address
cat tmp.address | tr [A-Z] [a-z] > mac.address

# Paste the parsed data into the arpwatch file
paste mac.address mac.manufacturer > ethercodes.dat

# Clean up intermediary files
rm tmp.address
rm mac.address
rm mac.manufacturer
rm oui.txt

Credit to Jonathan C. for the perl regex.


If the resulting nmap file (nmap-mac-prefixes) is installed, nmap will not run successfully. If you've already copied the nmap data file, you'll have to roll back to the data file installed with nmap.


Anonymous said...

Very useful. Thanks.

Anonymous said...

You sir, have saved me a good bit of time, thank you!

Unknown said...

The software's for changing MAC Address fails to update the MAC Address of the network adapter.But thank god i got this solution.Thanks for sharing.

Silvester Norman

Change Mac Address

Anonymous said...

Thanks for this. I made a small change to make it work, possibly because the input file format has changed. I changed the second cut statement to this:

cat oui.txt | grep '(base 16)' | cut -f3 -d' ' > mac.address

Anonymous said...

With the fix from Norman - great work, thx for this. The address has permanently moved to