Python - Find a specific mac address in a log file

Question

I want to extract specific Mac Address from a log file that can appear in different formats.

For example, on these three lines:

Jun 16 10:24:28 (2248) Login OK: cli 88-c9-d0-fd-13-65 via TLS tunnel)

Jun 16 10:24:35 (2258) Login OK: cli f8:a9:d0:72:0a:dd via TLS tunnel)

Jun 16 10:24:44 (2273) Login OK: cli 485a.3f12.a35a via TLS tunnel)

with this regex:

([[:xdigit:]]{2}[:.-]?){5}[[:xdigit:]]{2} 

I can bring out all the mac address, within the linux command less.

Assuming to search 48:5a:3f:12:a3:5a,how do I apply the same syntax with a specific mac address in Python?

I tried to write something like this:

regex = re.compile(r'([[:xdigit:]]{2}[:.-]?){5}[[:xdigit:]]{2}')

for line in file:
   match = regex.search(line)

but obviously it doesn't work.

Answer 1

You may use

r'\b[a-f0-9]{2}(?:([:-]?)[a-f0-9]{2}(?:\1[a-f0-9]{2}){4}|(?:\.?[a-f0-9]{2}){5})\b'

See the regex demo (compile the regex object with the re.I flag).

Explanation:

• \b - leading word boundary
• [a-f0-9]{2} - 2 xdigits
• (?: - start of a non-capturing group with 2 alternative patterns:
  • ([:-]?)[a-f0-9]{2}(?:\1[a-f0-9]{2}){4}:
    • ([:-]?) - Group 1 capturing a delimiter that is either a : or -
    • [a-f0-9]{2} - 2 xdigits
    • (?:\1[a-f0-9]{2}){4} - 4 sequences of the delimiter in Group 1 and 2 xdigits
  • | - or
  • (?:\.?[a-f0-9]{2}){5}) - 5 sequences of an optional (1 or 9) dot (\.?) and 2 xdigits.
• \b - trailing word boundary

Sample Python demo:

import re
p = re.compile(r'\b[a-f0-9]{2}(?:([:-]?)[a-f0-9]{2}(?:\1[a-f0-9]{2}){4}|(?:\.?[a-f0-9]{2}){5})\b', re.IGNORECASE)
s = "Jun 16 10:24:28 (2248) Login OK: cli 88-c9-d0-fd-13-65 via TLS tunnel)\nJun 16 10:24:35 (2258) Login OK: cli f8:a9:d0:72:0a:dd via TLS tunnel)\nJun 16 10:24:44 (2273) Login OK: cli 485a.3f12.a35a via TLS tunnel)"
print([x.group() for x in p.finditer(s)])
# =>  ['88-c9-d0-fd-13-65', 'f8:a9:d0:72:0a:dd', '485a.3f12.a35a']