5

My laptop is down, but I need to extract its MAC address thas was previously used to establish wifi connection. The filesystem was cloned, so I am trying to find any configurational file which contains the string with MAC address. What file is usually red by ifconfig to display network interfaces information?

freude
  • 155
  • 1
  • 1
  • 5

3 Answers3

9

Option 1: /etc/udev/rules.d/70-persistent-net.rules

Option 2: /etc/NetworkManager/system-connections directory, inspect any of the files for connections listed there.

Options 3: /var/log/syslog file and archived ones, syslog.*.gz. Specifically, look for something in format date hostname dhclient: Listening on LPF/wlan0/XX:XX:XX:XX:XX:XX

Option 4: May be listed in dmesg log as well, however at least for me personally, it took form without : as separator. Here's what I mean

[    5.655159] ieee80211 phy0: hwaddr b482fed38556, RTL8187SE + rtl8225-se

side note: since /sys filesystem exists only at runtime , as does /proc , it's impossible to view /sys/class/net/wlan0/address file, however I will leave that as side note, in case one needs a file usable at run-time.

Sergiy Kolodyazhnyy
  • 105,154
  • 20
  • 279
  • 497
  • 4
    /sys/ isn't real so may not exist in the clone. Option 2 only works if you specify which adapter a connection should connect on. Option 3 requires your last boot to have been fairly successful. Option 1 is the best bet. – Oli Oct 31 '15 at 14:44
  • The second option works for me. Strange, but I don't have file 70-persistent-net.rules in my filesystem – freude Oct 31 '15 at 14:47
  • Option #2 should work in 99% of the cases, because for the most part Ubuntu users use NetworkManager, unless the user is using wicd or command-line only method. @freude do you have it listed with a different starting number perhaps ? – Sergiy Kolodyazhnyy Oct 31 '15 at 14:51
  • @Oli I suspected that about /sys as it is a virtual file system, but it's still a file, it doesn't disappear just like that, unless its being removed upon shutdown. I will try to test that once I get home to my hard drive with 15.04. As for option #2 , the interface is already specified when user clicks network connection through the network-manager indicator. – Sergiy Kolodyazhnyy Oct 31 '15 at 14:53
  • 1
    @Serg It's virtual; it never really exists. The files are coming from inside the house, etc. Same with things like /dev, /proc, /run. – Oli Oct 31 '15 at 15:02
  • /var/log/dmesg is also a good bet – abligh Oct 31 '15 at 18:37
  • @abligh yes, that as well. It didn't show up for me right away, because the address didn't have : as separator, which is why i didn't add that to my original answer. I'll add that now – Sergiy Kolodyazhnyy Oct 31 '15 at 18:43
  • 4
    /sys is virtual. It does not exist on disk. You should remove #4 from the list. – nobody Oct 31 '15 at 19:49
  • I've left /sys option as side note, someone may find it useful – Sergiy Kolodyazhnyy Nov 02 '15 at 10:14
2

On Ubuntu server 18.04, I found the MAC address in /var/log/syslog and /var/log/ufw.log as :

Dec  7 02:49:08 hostname kernel: [1870435.881302] [UFW BLOCK] IN=eno1 OUT= MAC=xx:yy:2b:49:c7:23:aa:bb:00:00:00:1a:08:00 SRC=XXX.YYY.114.154 DST=XXX.YYY.138.47 LEN=40 TOS=0x00 PREC=0x00 TTL=246 ID=54321 PROTO=TCP SPT=40963 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0 
Dec  7 02:54:32 hostname kernel: [1870760.588719] [UFW BLOCK] IN=eno1 OUT= MAC=xx:yy:2b:49:c7:23:aa:bb:00:00:00:1a:08:00 SRC=XXX.YYY.25.65 DST=XXX.YYY.138.47 LEN=44 TOS=0x00 PREC=0x00 TTL=56 ID=36934 PROTO=TCP SPT=2740 DPT=80 WINDOW=35007 RES=0x00 SYN URGP=0 
Dec  7 03:01:22 hostname kernel: [1871170.660324] [UFW BLOCK] IN=eno1 OUT= MAC=xx:yy:2b:49:c7:23:aa:bb:00:00:00:1a:08:00 SRC=XXX.YYY.106.221 DST=XXX.YYY.138.47 LEN=40 TOS=0x00 PREC=0x00 TTL=237 ID=1440 PROTO=TCP SPT=58914 DPT=80 WINDOW=1024 RES=0x00 SYN URGP=0

Using this answer to parse the log, the desired MAC address is:

xx:yy:2b:49:c7:23
Eric Duminil
  • 409
2

You can get it from arp cache

cat /proc/net/arp

Arun Pradeep
  • 21