Hack 27 Finding Radio Manufacturers by MAC Address

Find out what sort of radio cards and laptops are in use on your local network.

If you just joined us from the last hack [Hack #26], you might be wondering about who is using your wireless network. Sure, you have their IP addresses, and their MAC addresses are easily found with a simple arp -an. But what kind of computers are they using?

The IEEE maintains the database of Organizationally Unique Identifiers (OUI). These are the first 24 bits of the MAC address, parceled out to vendors who manufacture Ethernet devices. If you know the first three bytes of a MAC address, you can look up the device's manufacturer directly from the IEEE. There is a searchable database on the Web at http://standards.ieee.org/regauth/oui/index.shtml. Note that to use this service, you need to specify the OUI separated by hyphens, not colons (e.g., 00-02-2d, not 00:02:2d.).

The Code

Of course, this is handy for the occasional query, but what if you want to instantly see the manufacturer of all devices on your local subnet? Just after performing a broadcast ping [Hack #26], try this bit of Perl:

#!/usr/bin/perl my %cards; my %ips; open(ARP,"arp -an|") || die "Couldn't open arp table: $!\n"; print "Looking up OUIs."; while(<ARP>) {  chomp;  my $addr = $_;  my $ip = $_;  $addr =~ s/.* ([\d\w]+:[\d\w]+:[\d\w]+):.*/$1/;  $addr =~ s/\b([\d\w])\b/0$1/g;  $addr =~ s/:/-/g;  next unless $addr =~ /..-..-../;  $ip =~ s/.*?(\d+\.\d+\.\d+\.\d+).*/$1/;  print ".";  $cards{$addr}||=`curl -sd 'x=$addr' http://standards.ieee.org/cgi-bin/[RETURN]ouisearch`;  ($cards{$addr} =~ /Sorry!/) && ($cards{$addr} = "Unknown OUI: $addr");  $ips{$ip} = $addr; } print "\n"; for(keys(%ips)) {  $cards{$ips{$_}} =~ s/.*.hex.\s+([\w\s\,\.]+)\n.*/$1/s;  print "$_ -> $cards{$ips{$_}}\n"; }

This script works well on Linux, Mac OS X, and BSD. It requires only Perl and the curl network utility (http://curl.sourceforge.net/), and it assumes that the arp utility is in your PATH. For efficiency's sake, it queries only the IEEE once for each OUI it encounters.

Running the Hack

Save the code to a file called machines.pl and invoke it from the command line, producing output somewhat like the following:

rob@florian:~$ perl machines.pl Looking up OUIs......... 10.15.6.98 -> Compaq Computer Corporation 10.15.6.44 -> Aironet Wireless Communication 10.15.6.64 -> Aironet Wireless Communication 10.15.6.49 -> APPLE COMPUTER, INC. 10.15.6.75 -> Netgear, Inc. 10.15.6.87 -> APPLE COMPUTER, INC. 10.15.6.62 -> Senao International Co., Ltd.

This node has a Compaq card, two Cisco Aironet cards, two Apple AirPorts, a Netgear, and a Senao card associated with it. This quickly gives you some idea of the demographic of your wireless users; plotted over time, it might show some interesting trends.

Some vendors are not listed in the OUI database, but the vast majority are. Some vendors are listed under the name of a subsidiary company (frequently from Taiwan), which can be misleading. But for an informal poll of just who is using your wireless network, this script can be quite illuminating.