Finding a MAC Address in VMware ESX

Tags: , , , , , , , , ,

Sometimes you just have to trace a system down by its MAC address. It could be a security incident, an abuse complaint or perhaps a long forgotten legacy system. Whatever it is, you don’t have much info to work with, but you do have a hardware address. Sadly, VMware doesn’t seem to have an easy way to search for a host by its MAC address. And filtering by corresponding IP address in the VI client only works if your VMware tools are installed and working. Which, after all, probably isn’t the case if all you know about a machine is its MAC address. Luckily with root shell access to the ESX hosts you can force a MAC address search easily enough.

The following one-liner will search the VMFSes presented to the host for a given string, for our purposes it’s a MAC address. In many cases running this search from one ESX node will effectively search the whole cluster, because they all share the same VMFS datastores.

[root@esx1 root]$ find /vmfs/volumes | grep .vmx$ | while read i; do \
                  grep -i "00:50:56:b9:79:70" "$i" && echo "$i"; done
ethernet0.generatedAddress = "00:50:56:b9:79:70"

What the above script does is grep for the mac address 00:50:56:b9:79:70 in all files ending with .vmx in /vmfs/volumes. If a match is found, the full path to that vmx file is printed to the screen and from there you can glean the name and location of this formerly elusive virtual machine.