How to use Wireshark OUI lookup for network security (original) (raw)

The Wireshark network protocol analyzer application includes an important feature: OUI lookup. The organizationally unique identifier is part of the media access control addresses that are uniquely assigned to each network interface controller, or NIC. In Wireshark, OUI lookup is part of the MAC address lookup function.

This tutorial shows how to use Wireshark's OUI lookup tool from within the Wireshark application, as well as how to do OUI lookup from any internet-connected device.

Most networked devices use Ethernet or Wi-Fi NICs and have 48-bit MAC addresses. These addresses uniquely identify the network interfaces on physical networks and consist of two parts: The first three octets (bytes) of the addresses are associated with the manufacturer or vendor of the device's NIC, and the second three octets uniquely identify the NIC itself.

What is an OUI?

Modern network interfaces like those used for Ethernet or Wi-Fi are uniquely identified in six octets (48 bits) of a MAC address. These addresses are usually represented as 12 hexadecimal digits in six pairs, separated by colons or hyphens -- for example:

00:00:5E:AB:CD:EF

00-00-5E-12-34-56

The first three octets are the OUI assigned by the IEEE Registration Authority to the vendor of the NIC. The OUI database was used originally to associate Ethernet cards with their manufacturers, but the OUI has been expanded to cover all types of NICs, including Wi-Fi and other wired and wireless network interfaces.

The first 24 bits of address space in MAC addresses are reserved for the OUI, and the last 24 bits are reserved for a unique ID for each NIC manufactured by the owner of the OUI. As a result, more than 16 million unique OUIs exist, and each OUI can be used by the manufacturer for over 16 million NIC addresses. This means that a large manufacturer, like Cisco, has been assigned hundreds of OUIs.

The Wireshark OUI database includes the following:

OUIs are tracked through the IEEE Registration Authority, and Wireshark maintains an API called manuf that provides a mechanism for searching against the Wireshark manufacturer database, an open source collection of all known OUI prefixes -- the first three octets of the MAC address. An OUI search typically looks at a hexadecimal MAC address like this:

00-00-5E-00-53-99

The search queries the Wireshark manufacturer database and returns the OUI vendor name and any other descriptive information stored for that OUI. In this example, which uses a MAC address reserved for documentation, the search returns the OUI itself and the database information for that OUI:

00:00:5E ICANN, IANA Department

In this case, the OUI is registered to the Internet Corporation for Assigned Names and Numbers and reserved for use as an example in documentation by the Internet Assigned Numbers Authority.

What are OUIs used for?

The benefits of using Wireshark OUI lookup are many, including the ability to do the following:

For example, Wireshark OUI lookup can be used to identify whether a particular router vendor is preferred for the network being monitored. By tracking where traffic destined for the global internet is being forwarded from, network engineers and security professionals can identify routers. Using OUI lookup makes it easy to see if installed routers are provided by Cisco, Juniper Networks or another vendor. This information can be crucial to successfully completing a pen test engagement or red team exercise.

How to use Wireshark OUI lookup in the application

The Wireshark OUI lookup tool is integrated into the Wireshark application, so if you use Wireshark to capture or analyze network traffic, it automatically displays OUI data along with other metadata about network traffic. This is displayed in Wireshark protocol analysis screens, as shown in Figure 1, from a Linux system running Wireshark.

Screenshot of Wireshark displays OUI lookup data

Figure 1. The Wireshark application display shows all protocol information about local network traffic, including OUI lookup and IP addresses of source and destination hosts, as well as TCP and UDP header information.

In Figure 1, note that the MAC addresses (highlighted) are displayed as part of the Layer 2 protocol layer -- also known as data link layer or simply link layer -- where devices communicate over network media, such as Ethernet or Wi-Fi. In this example, the following is the source MAC address:

ec:f4:bb:96:12:0e

However, the console automatically identifies the OUI in this MAC address, ec:f4:bb, as being registered in the IEEE database to the manufacturer Dell. Rather than displaying only the MAC address, Wireshark displays the MAC address as a hybrid, where the OUI is replaced with the vendor name from the IEEE database:

Dell_96:12:0e

By default, Wireshark resolves MAC addresses in this way, with MAC addresses displaying the registered manufacturer name and the underscore symbol (_) prefixed to the unique NIC address. For the destination address in this example, the raw address is the following:

00:0c:29:b4:90:14

The resolved destination MAC address is shown as the following:

Vmware_b4:90:14

Wireshark resolves MAC addresses in this way by default, but MAC resolution can be turned off.

Screenshot of Wireshark application preferences

Figure 2. Open Wireshark application preferences (Linux)

How to configure MAC address resolution in Wireshark application

Disabling MAC address resolution can be helpful for applications such as live scanning a busy network where performance could be affected by the need to resolve MAC addresses in real time. To turn MAC address resolution on or off, go to the Wireshark settings Preferences dialog. Figure 2 shows how to select the Edit pull-down menu in the Wireshark application running on Linux prior to clicking on Preferences to set OUI resolution handling.

Once at the Wireshark Preferences dialog, shown in Figure 3, select Name Resolution from the menu on the left side. By default, the first configuration option is Resolve MAC addresses. Check or uncheck that box, and then click OK to enable or disable MAC address resolution.

Screenshot of Wireshark MAC address resolution configuration

Figure 3. Enable or disable MAC address resolution in the Wireshark Linux application.

How to use Wireshark OUI lookup interactively online

It's not always practical, desirable or even possible to run the full Wireshark application on a target network to identify MAC OUIs. In these cases, Wireshark provides an online web interface for OUI lookups at this URL:

https://www.wireshark.org/tools/oui-lookup.html

The web interface, shown in Figure 4, consists of a set of simple directions and examples of lookup examples, an input box for searching and a Find button. In this example, a NIC address, 00:0b:be🔞9a:41, is entered in the OUI search input box, and the resulting resolution shows that address as belonging to Cisco.

Screenshot of Wireshark OUI lookup webpage

Figure 4. The interactive webpage for Wireshark OUI lookups can be accessed from any internet-connected device with a web browser.

As noted on the web interface, OUI search terms can include the following types of data:

Screenshot of Wireshark OUI lookup Cisco

Figure 5. Wireshark OUI lookup for the string 'cisco' returns all OUIs registered with that string in the OUI description.

The octets in the MAC and OUI values must be separated by colons, hyphens or periods. Strings -- for OUI description data -- are not case-sensitive. Pressing Enter starts a new line in the search input field. To initiate the search, click on the Find button beneath the input field. The input field can be sized -- made larger or smaller -- by dragging the lower-right corner of the field.

Figure 5 shows the first few OUIs in the Wireshark OUI database that include the string "cisco" -- not case-sensitive -- out of the hundreds of registered Cisco OUIs.