Sanitized IEEE OUI Data (oui.txt)

The IEEE oui.txt file has become somewhat inconsistent over the years and subsequently requires subvention for use in network infrastructure documentation and reporting. In response to this we have produced a daily sanitized edition that is available for download in bzip2, gzip, Zip and ASCII text.

Our sanitizing process performs Title Case conversion of legacy all UPPERCASE OUI records, fixes for vendor name inconsistencies, spelling corrections, removal of superfluous and erroneous data artifacts that have crept into the original daily generated IEEE oui.txt over time.

The oui.txt file is located in /usr/share/misc/ on most Linux distributions.



oui.txt Downloads

Sanitized oui.txt.bz2 Wed, 31 May 2023 07:02:36 +0000  •  970.1 kB (970,064 bytes)  •  bzip2

Sanitized oui.txt.gz Wed, 31 May 2023 07:02:36 +0000  •  1.4 MB (1,369,347 bytes)  •  gzip

Sanitized oui.txt.zip Wed, 31 May 2023 07:02:36 +0000  •  1.4 MB (1,369,485 bytes)  •  Zip

Sanitized oui.txt Wed, 31 May 2023 07:02:36 +0000  •  5.1 MB (5,090,976 bytes)  •  ASCII

Orig. IEEE oui.txtUpdated daily and available on the IEEE website •  ASCII


Sanitized IEEE OUI Data (oui.txt) Update Client Download

Sanitized IEEE OUI Data (oui.txt) Update Client sanitized-oui.txt-update v1.03
Tue, 09 Jul 2019 13:30:12 +0000  •  4.0 kB (4,039 bytes)  •  bash shell script


oui.txt Comparison

A juxtaposition comparison of the original and sanitized oui.txt files can be attained using sdiff from the GNU diffutils package.

sdiff -Wia original_oui.txt sanitized_oui.txt | less



Nmap MAC Prefixes

We also maintain and have made available a nmap-mac-prefixes file created from the sanitized oui.txt edition with abridging vendor name logic applied.

nmap-mac-prefixes Download

nmap-mac-prefixes   Wed, 31 May 2023 07:02:39 +0000  •  618.7 kB (618,703 bytes)  •  ASCII


Nmap MAC Address Scan

The nmap-mac-prefixes file is used by Nmap to output meaningful OUI vendor names for MAC addresses it detects by matching the three-byte prefix taken from the MAC address and looking for a match in nmap-mac-prefixes file. It's also used in other nmap features. The Nmap nmap-mac-prefixes file can typically be found in /usr/share/nmap/ on most Linux distributions.

An example of this can be seen by performing a nmap scan of a local network. In this example the 192.168.0.0/24 LAN segment is scanned using the following:

nmap -n -sP -PS -PE -PP -PM 192.168.0.0/24 | grep MAC
ephor ~ # nmap -n -sP -PS -PE -PP -PM 192.168.0.0/24 | grep MAC MAC Address: XX:XX:XX:XX:XX:XX (Cisco) MAC Address: XX:XX:XX:XX:XX:XX (AOpen) MAC Address: XX:XX:XX:XX:XX:XX (ASUS) MAC Address: XX:XX:XX:XX:XX:XX (Intel) MAC Address: XX:XX:XX:XX:XX:XX (Linksys) MAC Address: XX:XX:XX:XX:XX:XX (Dell) MAC Address: XX:XX:XX:XX:XX:XX (Dell) MAC Address: XX:XX:XX:XX:XX:XX (HP) MAC Address: XX:XX:XX:XX:XX:XX (HP) MAC Address: XX:XX:XX:XX:XX:XX (Intel) MAC Address: XX:XX:XX:XX:XX:XX (OKI Electric) MAC Address: XX:XX:XX:XX:XX:XX (D-Link) MAC Address: XX:XX:XX:XX:XX:XX (Kingston) MAC Address: XX:XX:XX:XX:XX:XX (Dell) MAC Address: XX:XX:XX:XX:XX:XX (Brother) MAC Address: XX:XX:XX:XX:XX:XX (Xerox) ephor ~ # _



Arpwatch ethercodes.dat

Arpwatch is an Ethernet monitor tool by Network Research Group (NRG). The ethercodes.dat distributed with the NRG Arpwatch package archive is somewhat dated, Jul 22, 2006. The format of this data file is similar enough to the nmap-mac-prefixes file that it is rather trivial to generate an updated ethercodes.dat from it.

See Updating ethercodes.dat Ethernet vendor codes on the DTU IT Wiki for a working example.

The ethercodes.dat file can be found in /usr/share/arpwatch/ or /var/lib/arpwatch/ on most installations.

ethercodes.dat Download

ethercodes.dat   Wed, 31 May 2023 07:02:40 +0000  •  720.3 kB (720,331 bytes)  •  ASCII




Arp-scan ieee-oui.txt

Arp-scan is a local network ARP host scanning and fingerprinting tool.

The arp-scan package provides a Perl script to update it's ieee-oui.txt file. The default URL is that of the original IEEE oui.txt data. The -u parameter for get-oui can be used to specify the URL to fetch the raw OUI data from instead of the default.

Updating arp-scan ieee-oui.txt

The arp-scan ieee-oui.txt data file in /usr/share/arp-scan/ or /usr/local/share/arp-scan/ can be updated with the latest sanitized oui.txt data with the following:

cd /usr/share/arp-scan/ && get-oui -u https://linuxnet.ca/ieee/oui.txt

If you've recently updated the oui.txt file on the localhost, you can update the arp-scan /usr/share/arp-scan/ieee-oui.txt file using the local oui.txt file as follows:

cd /usr/share/arp-scan/ && get-oui -u file:///usr/share/misc/oui.txt

Alternative arp-scan using nmap-mac-prefixes

The arp-scan ieee-oui.txt file shares the same format as the nmap-mac-prefixes file and thus it can be used with arp-scan using the --ouifile option.

arp-scan --ouifile=/usr/share/nmap/nmap-mac-prefixes -lI eth0 luger ~ # arp-scan --ouifile=/usr/share/nmap/nmap-mac-prefixes -lI eth0 Interface: eth0, datalink type: EN10MB (Ethernet) Starting arp-scan 1.9.5 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.0.1 XX.XX.XX.XX.XX.XX Cisco 192.168.0.2 XX.XX.XX.XX.XX.XX Netgear 192.168.0.3 XX.XX.XX.XX.XX.XX Netgear 192.168.0.4 XX.XX.XX.XX.XX.XX Ubiquiti 192.168.0.5 XX.XX.XX.XX.XX.XX Ubiquiti 192.168.0.6 XX.XX.XX.XX.XX.XX Ubiquiti 192.168.0.10 XX.XX.XX.XX.XX.XX Linksys 192.168.0.11 XX.XX.XX.XX.XX.XX HP 192.168.0.15 XX.XX.XX.XX.XX.XX HP 192.168.0.20 XX.XX.XX.XX.XX.XX Apple 192.168.0.21 XX.XX.XX.XX.XX.XX Apple 192.168.0.22 XX.XX.XX.XX.XX.XX ASUS 192.168.0.39 XX.XX.XX.XX.XX.XX ASUS 192.168.0.40 XX.XX.XX.XX.XX.XX VMware 192.168.0.41 XX.XX.XX.XX.XX.XX Ooma 192.168.0.42 XX.XX.XX.XX.XX.XX Dell 192.168.0.43 XX.XX.XX.XX.XX.XX Dell 192.168.0.44 XX.XX.XX.XX.XX.XX Dell 192.168.0.45 XX.XX.XX.XX.XX.XX ASUS 192.168.0.100 XX.XX.XX.XX.XX.XX Dell 192.168.0.105 XX.XX.XX.XX.XX.XX WD 192.168.0.107 XX.XX.XX.XX.XX.XX HP 192.168.0.108 XX.XX.XX.XX.XX.XX Epson 192.168.0.220 XX.XX.XX.XX.XX.XX Samsung 192.168.0.225 XX.XX.XX.XX.XX.XX Samsung 192.168.0.226 XX.XX.XX.XX.XX.XX Huawei 26 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.9.5: 256 hosts scanned in 1.885 seconds (135.81 hosts/sec). 26 responded luger ~ # _