Finding a MAC Address in VMware ESX

Tags: , , , , , , , , ,


Sometimes you just have to trace a system down by its MAC address. It could be a security incident, an abuse complaint or perhaps a long forgotten legacy system. Whatever it is, you don’t have much info to work with, but you do have a hardware address. Sadly, VMware doesn’t seem to have an easy way to search for a host by its MAC address. And filtering by corresponding IP address in the VI client only works if your VMware tools are installed and working. Which, after all, probably isn’t the case if all you know about a machine is its MAC address. Luckily with root shell access to the ESX hosts you can force a MAC address search easily enough.

The following one-liner will search the VMFSes presented to the host for a given string, for our purposes it’s a MAC address. In many cases running this search from one ESX node will effectively search the whole cluster, because they all share the same VMFS datastores.

[root@esx1 root]$ find /vmfs/volumes | grep .vmx$ | while read i; do \
                  grep -i "00:50:56:b9:79:70" "$i" && echo "$i"; done
ethernet0.generatedAddress = "00:50:56:b9:79:70"
/vmfs/volumes/49358dcc-139b80f0-2d98-001ec9cf6a91/FOOVM/FOOVM.vmx

What the above script does is grep for the mac address 00:50:56:b9:79:70 in all files ending with .vmx in /vmfs/volumes. If a match is found, the full path to that vmx file is printed to the screen and from there you can glean the name and location of this formerly elusive virtual machine.

Related posts:

  1. Printing the last occurrence of a string and everything below it with grep
  2. Converting Windows Guests From VMWare ESX to KVM With Virtio Drivers
  3. Ubuntu UEC/EC2 Puppet Client Howto
  4. CIDR Cheat Sheet – IP Subnet & Netmask info

5 Responses to “Finding a MAC Address in VMware ESX”

  1. Josh Says:
    July 11th, 2014 at 12:14 pm

    Here’s another one-liner:

    find /vmfs/volumes/ -type f -iname “*.vmx” -exec grep -im1 “YOUR MAC” {} \; -print

    Alternatively, if you just want the .vmx name without seeing the MAC again, add -q to the grep command:

    find /vmfs/volumes/ -type f -iname “*.vmx” -exec grep -qim1 “YOUR MAC” {} \; -print

    [Reply]

  2. Paul Krash Says:
    January 26th, 2015 at 3:31 pm

    How would one find an errant VM across a whole center by Mac address?

    $report =@()
    Get-VM | Get-View | %{
    $VMname = $_.Name
    $_.guest.net | where {$_.MacAddress -eq “00:50:56:xx:xx:xx”} | %{
    $row = “” | Select VM, MAC
    $row.VM = $VMname
    $row.MAC = $_.MacAddress
    $report += $row
    }
    }
    $report

    [Reply]

  3. Various options to find the MAC. | Techbrainblog Says:
    March 11th, 2015 at 11:42 pm

    […] http://backdrift.org/finding-a-mac-address-in-vmware-esx […]

  4. Andy Says:
    September 25th, 2015 at 6:17 am

    Hi Joel – of course I am mtoinoring this thread… You do not need to configure any passthough on the vSphere Configuration tab. What is the hardware version of the VM’s ? Just make sure I understand correctly. – vSphere installed on HP Proliant. – VM’s are running Windows 2000 – with up to date tools and a USB controller added to the VM’s configuration. – User is connecting to VM from a Windows XP machine with up-to-date vSphere client. What happens when you open the vSphere console to the WIN2K VM and connect the USB controller?

    [Reply]

  5. Michael Says:
    February 10th, 2016 at 8:26 am

    Why do you use os many different programs when grep can do all that in one turn?
    grep ‘MY_MAC’ /vmfs/volumes/*/*/*.vmx
    you can also limit the datastores you are searching for for examle with vol_tvms_linux_*/*/*.vmx (learch only on our test linux servers for example)

    [Reply]

Join the Conversation