Update OUI List



  • Is there anyway to update the OUI list used by the DHCP leases screen? It's pretty outdated and most MAC addresses I'm seeing no longer list a vendor (maybe half and half).


  • Rebel Alliance Developer Netgate

    That comes from the nmap package. If you aren't using the most current version of the nmap package, reinstall it.



  • @jimp:

    That comes from the nmap package. If you aren't using the most current version of the nmap package, reinstall it.

    It is the most current version of the  package so that probably needs updated in nmap



  • I didn't realize this came from nmap, so can a mod move it to packages where it belongs in hope the package maintainers find it?

    It looks like the current version of nmap is 6.25 and the pfSense package is 6.01. I'm guessing an update to the nmap package would update this OUI list.


  • Rebel Alliance Developer Netgate

    It's not that simple to decouple it from nmap, I believe there were some licensing reasons and such. It's easier just to keep tracking nmap and updating as needed.

    The nmap package will get updated in the near future, time allowing (probably before the end of the week)


  • Rebel Alliance Developer Netgate

    Newest nmap is up now.



  • Thanks Jim, I guess the nmap people haven't been keeping the database updated because its still old - missing a few Apple OUI's for example.


  • Rebel Alliance Developer Netgate

    Looks recent enough to me.

    $Id: nmap-mac-prefixes 28250 2012-03-09 00:45:55Z fyodor $ generated with make-mac-prefixes.pl

    Original data comes from http://standards.ieee.org/regauth/oui/oui.txt

    These values are known as Organizationally Unique Identifiers (OUIs)

    See http://standards.ieee.org/faqs/OUI.html

    We have added a few unregistered OUIs at the end.

    2 months old is pretty new for a software release.

    Not sure why the missing ones aren't there. What are they? Are they in the IEEE data file here: http://standards.ieee.org/regauth/oui/oui.txt ?

    The IEEE file isn't in a format we can use directly, which is why we use NMAP's list instead.



  • B8-78-2E Apple
    70-56-81 Apple Inc
    78-D6-F0 Samsung Electro Mechanics
    58-C3-8B Samsung Electronics
    74-45-8A Samsung Electronics Co.,Ltd
    98-B8-E3 Apple
    80-96-B1 Motorola Mobility, LLC.
    7C-FA-DF Apple
    90-18-7C Samsung Electro Mechanics co., LTD.

    There's just a few that are NOT recognized by pfSense in the DHCP leases list, all those entries come from the IEEE text file.


  • Rebel Alliance Developer Netgate

    I worked over the IEEE file a bit and compared it, there are actually a large number of them missing.

    The IEEE file doesn't look terribly difficult to parse, though the company names are formatted a bit differently than those in the nmap file. It would be possible to make a little package that would download and update the file from the IEEE source, but the nmap list also contains a few entries (6 or so) that aren't in the IEEE list.


  • Rebel Alliance Developer Netgate

    Give this a spin from the shell (upload it to /root/update_oui.sh, then run it with "sh /root/update_oui.sh". It will download the OUI list from IEEE, add in the few from nmap that were not in the IEEE list, and then write it out in the proper format to be recognized by the GUI.

    update_oui.sh.txt



  • @jimp:

    Give this a spin from the shell (upload it to /root/update_oui.sh, then run it with "sh /root/update_oui.sh". It will download the OUI list from IEEE, add in the few from nmap that were not in the IEEE list, and then write it out in the proper format to be recognized by the GUI.

    Done exactly as you said and it didn't change a thing - still tons of OUI's missing in the DHCP leases table.



  • @markhude: Why not send a patch to the nmap guys so they can update the table?

    It's just that they are already used to maintain a list - and they are already not alone (http://hackerific.net/2010/04/04/oui/) so I doubt why pfsense should also start delivering its own list or update script :-)


  • Rebel Alliance Developer Netgate

    @markuhde
    My script has a safety belt built-in that won't overwrite the nmap file if the downloaded file fails two different validity tests.

    Check /tmp/oui-prefixes.txt and see if it's still there, and if it looks "sane". The script worked for me when I ran it here.

    @MatSim
    The nmap file is pretty out of date, even though the nmap source is up to date, so they're behind. They have an automated script, so a patch isn't likely to be helpful, but a nudge may be in order.

    A separate script isn't necessarily a bad idea from an independence point of view. It would be nice to not have to depend on those other projects, which in turn depend on the IEEE list, when it's freely available to make a list of our own. The most likely outcome is that we make a package that includes these updated OUIs, not have people run the script directly on their firewalls. Someone could, if they really wanted to, but there's little reason to do so since not only would it put an extra burden on the IEEE server, but they don't change often enough to warrant that.

    It would be nice to have it hooked into an update mechanism like the bogons, but again, I doubt they change so often that it would be warranted, and just updating a package now and then would be sufficient.



  • It's not generating that, I'm getting no feedback at all when I run the script and checking immediately afterwards there is no /tmp/oui-prefixes.txt


  • Rebel Alliance Developer Netgate

    This was stuck way back in my Inbox, meant to poke at it again.

    This works for me on a system that has no trace of nmap. Note that this is not the exact same script posted earlier in the thread, but an updated version.

    : /etc/rc.conf_mount_rw  (NanoBSD only)
    : cd /root; fetch -qo /root/ http://files.pfsense.org/jimp/update_oui.sh ; sh update_oui.sh
    : ls -l /usr/local/share/nmap/nmap-mac-prefixes
    -rw-r--r--  1 root  wheel  520508 Jul 16 13:03 /usr/local/share/nmap/nmap-mac-prefixes
    
    

    I was going to make a package for it, but then I thought better of it. We don't need an extra 0.5MB in the package repo and it will need to be manually kept up to date and it's just not really worth the hassle. If we gzip it we'd have to put it on another server (no binaries allowed in the pkg repo) and it would be more difficult not only to update it, but to remember to update it and bump the pkg version, etc. Most people are OK with the nmap version, those that aren't can just grab this and run it manually.

    If I can get some confirmation that it works I'll write up a short doc wiki article on it.