MAC vendor check

Homepage:nhw.pl/blg/articles/mac_count/
Download:http://www.nhw.pl/blg/download/mac_count.tgz

This is simple script to check what MAC addresses are in Your network. What for ? If someone adds unauthorized device (like wireless AP) this could help found it out.

How it works ? It connects via telnet to Cisco devices, dumps MAC address table and using http://www.coffer.com/mac_find check what devices (vendors) are connected to LAN.

Requirements:
  • expect
  • cat/grep/awk/perl/telnet/etc...
  • access to web (could be via proxy)
  • user with access to show mac-address-table command on Cisco switches


Running:
In file list.txt provide username, password and hostname separated via whitespaces, one in each line. Run dump_mac.sh script.

WARNING!

Expect script assumes that prompt from switch is exactly HOSTNAME> where hostname is taken as is from list.txt. In my environment it works ;-))

Now in directory exp_out are dumped mac address tables, each in separate file. Run bind.sh, which runs through all MACs and checks all found vendor parts in MAC address. I tried to do it gracefully and run minimal number requests to www.coffer.com, but for sure it can be done even more efficient. If all works well in file outp.txt should be all found vendors. Go through it, and search for something there should not be..... If You want to find one specified vendor devices, in bind.sh, last line after exit 0 there is command which makes from outp.txt something useful as patterns to grep through all files in exp_out directory. Choosing right pattern and runnig grep -i PATTERN exp_out/*MAC will show all switches and ports on it with this vendor's devices.

(c) 2005 Witold Rugowski
http://www.nhw.pl/blg/
mailto:blg@nhw.pl