VMware Virtual Machines MAC addresses
Occasionally I feel old, today was one of those days. The feeling snuck up on me during a conversation about MAC addresses.
Someone mentioned a MAC address starting 00:50:56 and I said with confidence that it was a VMware virtual machine, which prompted the response “how do you know that?”. Which leads us to the topic of this blog post, how did I know that?
MAC addresses are not random. The first three pairs of a MAC address is granted to a vendor or manufacturer. I knew the MAC address 00:50:56 was a VMware virtual machine because 00:50:56 are assigned to VMware as MAC address Organisational Unique Identifiers (OUI). VMware has four such assignments; 00:50:56, 00:0C:29, 00:05:69 and 00:1C:14. Unless you are dealing with much older VMware infrastructure the only one worth really committing to recall is 00:50:56.
We can take this a step further with VMware MAC addresses. Taking the example MAC address in the image, listed as 00:50:56:96:a4:e5 we can work out the virtual centre that this virtual machine belongs to.
According to the VMware OUI allocation scheme, a MAC address has the format of 00:50:56:XX:YY:ZZ, where as discussed above 00:50:56 represents the VMware OUI, XX or the forth octet is calculated as 80 + vCenter Server ID, and YY and ZZ are random two-digit hexadecimal numbers.
Working out the vCenter ID requires taking the 4th octet in the example above that would be the forth octet from 00:50:56:96:a4:e5, which is 96. Then we subtract 80 from that which looks more complicated than it is; 0x96 – 0x80 = 0x16. Next step is to rebase 0x16 from Base-16 to Base-10, or convert 0x16 to decimal, now i appreciate that’s probably not an everyday operation. To convert the hex number 0X16 to decimal we need to follow these steps:
Multiply the last digit by 1, so 6 x 1 = 6
Multiply the third to last digit by 16, so 1 x 16 = 16 (for a longer Hex number then multiply the fourth to the last digit by 16 x 16 x 16, Multiply the fifth to the last digit by 16 x 16 x 16 x 16 and so on until all the digits are used).
Add up the outputs from above, so 6 + 16 = 22
This means our vCenter Server Unique ID is 22
How can this be used practically? Well if we had access to a table of say every MAC OUI Registration combined with say the output from an ARP (Address Resolution Protocol) command then we can very quickly build up a picture of what hardware is on a network.
As a quick example I’ve downloaded the MAC OUI registration information from the link above and then combined that with the output from an “arp -a” command that I ran on a CentOS server in a lab environment.
Arp is not a command that is created equally across all operating systems. The output of the same command on a windows server will for example provide you with and IP address, MAC address and entry type (static or dynamic) and divides the output up on a per interface basis. As demonstrated by the output from running the command on a CentOS server, it attempts to resolve the IP addresses to a fully qualified domain name and provides interface details within the same table.
The raw data needs cleaning up before it can be used, but that’s straightforward enough using PowerQuery.
After cleaning the data and merging the two queries the output should look something like this.
I think this is really useful and has operational uses as well as discovery uses ahead of service or server migrations. A particularly powerful use case would be to merge this information with the output from a “netstat” command and Standard TCP port description information.
So there we have it an answer to how did I know that 00:50:56 was a VMware MAC address.