I'm trying to use the "Add-On for MAC Lookup " and it errors with 'command="maclookup", : failed to use the netaddr module!'
For example, my Splunk search produces a table with 1 entry:
dest_hostname dest_nt_host dest_ip dest_mac dest_subnet_name
android-1fe665ec066a8cdd android-1fe665ec066a8cdd.home 10.1.1.99 dc:44:b6:99:f9:a5 Guest-Wifi
whereupon I invoke maclookup:
...
| table dest_hostname, dest_nt_host, dest_ip, dest_mac, dest_subnet_name
| maclookup field=dest_mac
...
resulting in:
command="maclookup", : failed to use the netaddr module!
No results found.
Enabling debug, I see the following in maclookup.log:
2018-11-26 15:39:55,142 INFO maclookup:139 - using mac to lookup : dc:44:b6:99:f9:a5
2018-11-26 15:39:55,142 INFO maclookup:141 - netaddr lookup: DC-44-B6-99-F9-A5 ...
2018-11-26 15:39:55,224 ERROR maclookup:154 - failed to use the netaddr module!
I've restarted splunkd on this system (RHEL 7.5) a few times, and even rebooted the server, but that hasn't made a difference.
It seems that this error is the result of an OEM vendor not being found in the netaddr lookup.
When I manually paste the MAC addr dc:44:b6:99:f9:a5 into https://www.macvendorlookup.com/ , the site returns:
Company: No Vendor Exists
When the table includes a different MAC addr, netaddr may give no error. For example, if the table includes:
dest_hostname dest_nt_host dest_ip dest_mac dest_subnet_name
ETs-Phone ETs-Phone.home 10.1.1.50 00:56:cd:95:16:62 Guest-Wifi
... maclookup gives no error.
When I manually paste the MAC addr 00:56:cd:95:16:62 into https://www.macvendorlookup.com/ , the site returns:
Company: Apple, Inc.
This leads me to the question of whether we can get this add-on to use a different site, such as https://www.wireshark.org/tools/oui-lookup.html
Thanks.
Hi staten,
Sorry for the late reply. Not at the moment, but I can add something like this in a later version.
Hope this helps ...
cheers, MuS
Correction to my question: Can we enable this add-on to use a different lookup/source* for MAC OEM vendor data?
*replaced "site"