Can I give the Raspberry Pi any MORE to do? This started off as a plea for help – as I could not find a way to get reliable reporting of changed devices on my network – as you’ll see, now CRACKED thanks to readers and in particular Mr Shark.
I’ve tried Glasswire on PC, Nmap on Pi and Advanced IP scanner on PC… the latter detects devices like ESP8266 on the network no problem – but could I HELL find a way to show JUST devices connected since the last scan.
So let’s say I just turned on a couple of ESP boards 5 minutes ago – I don’t yet have names for them, just dynamically created IP addresses. I can easily get a list of all the devices on the net but how do I get a list of JUST all the devices that were not online last time I checked 10 minutes ago. Advanced IP scanner is one of the best tools I’ve used yet it does NOT seem able to do this.
I also wanted to see hostnames where possible.
The solution works a treat. FING on the PI…
sudo fing -n 192.168.14.0/24 –session /home/pi/.node-red/public/session.txt -o table,html,/home/pi/.node-red/public/devices.html
See the comments about installing Fing.
If you are not running Node-Red then the files above should run in /var/www/html, incidentally.
The above with an ampersand on the end can be run in /etc/rc.local (at the very end before the last “exit 0”) and if you are running node-red and like me made a public folder under the node-red folder (see earlier stuff in the blog about the public folder) then you can access devices.html as xxx.xxx.x.x:1880/devices.html
The page gets large (working on limiting its size) so I won’t show it here but it shows a summary list of all devices on the network and their hostnames (if available) and status (UP/DOWN) then a list sorted by date/time of devices that changed state.
FING on the Pi – combining Mr Sharks’ Feb 2019 comment and updates Oct 2019..
Download latest linux zip file and uncompress it:
wget https://www.fing.com/images/uploads/general/CLI_Linux_Debian.zip
unzip CLI_Linux_Debian.zip
check your architecture, should be something similar to armXXX for raspberry:
uname -r && ls fing*deb
I used this:
sudo dpkg -i fing-5.4.0-armhf.deb
sudo fing
if it complains about missing libs (mine didn’t) maybe this is needed:
sudo apt-get install -y libpcap-dev
hello Antonio
sorry think Iv spotted my error (my eyesight is bad)
should be wget –no-check-certificate https://bitbucket.org/api/2.0/snippets/scargill/qexexb/master/files/script.sh
under master files to download
will try that
regards
hello Antonio
Iv cleared my problem with fing as per last comment.
I decided to do one more sd card this time using your newer script.
When I ran wget script
root@orangepiplus2e:~# wget –no-check-certificate https://bitbucket.org/snippet s/scargill/qexexb/the-script-2019#script.sh-381
–2019-03-03 20:03:23– https://bitbucket.org/snippets/scargill/qexexb/the-scri pt-2019
Resolving bitbucket.org (bitbucket.org)… 2406:da00:ff00::22c5:2ef4, 2406:da00: ff00::22cd:e0db, 2406:da00:ff00::22c3:9b0a, …
Connecting to bitbucket.org (bitbucket.org)|2406:da00:ff00::22c5:2ef4|:443… co nnected.
HTTP request sent, awaiting response… 200 OK
Length: 286602 (280K) [text/html]
Saving to: ‘the-script-2019’
This is the doc file not the sh file
what did I do wrong in get command???
regards
hello Antonio
Thanks for the quick reply see attached screen clip
echo “pi ALL=(ALL) NOPASSWD: ALL” > /etc/sudoers.d/pi
This directory etc/sudoers/ had garbage in it no pi
I dont know how this happen as checking all my other backup SD’s its there.
SD card ???? bad write?
Its only missing on this card which is now in the bin.
will finish checking programm run and copy onto emmc
regards and many thanks to you and Pete for all your help
hello Antonio
as you are the Linux Guru I have a problem with my fing sudo command to
start the discovery sequence. It has upto now been working with no problem.
Today I did an update on nodes and since then every time I do a sudo it asks me for
the password. The exec node gives a return message of Command failed: ./fing.sh
sudo: a password is required. I am or was pi.
can you help?
regards
check if you’ve not lost the pi sudo setup, lines 381-383:
https://bitbucket.org/snippets/scargill/qexexb/the-script-2019#script.sh-381
Hello Mr Shark
thanks again for the help. I’m now officially a mass murder worked perfectly
regards
Hello Mr Shark
other permission problem to make entries in rc.local have not managed that always refused
also in my Public file the session files are owned by root, all my files are pi
regards
that’s correct, as to get those info you need root privileges and sessions belong to him
Hello Mr Shark
my problem was permission to access my own fing.sh file I created to start
fing from my dashboard.
regards
Hello Pete
help required. I have set up in node-red dashboard an exec with button which I use to
start fing running by ./fing.sh, works fine and I get a pid number, also the dashboard
displays the table and updates every 1 minute.
now I want to stop this by another button. The trouble for me is the PID number changes so I must kill the process by name. I tried # pkill fing but nothing happened
and got a return 0
Anyone an idea how to terminate this process????
No idea – Antonio put me onto fing, I’m new to it myself.
you don’t need to be a sniper… be a mass murderer! 😀
sudo killall fing.bin
hello Pete
thanks for the work you and Mr.Shark have done on setting up this project.
Have managed to get it all done as per your instructions on my setup via “The script”
No problems except my permanent one of permissions. Have the output into a template on my node-red dashboard.
Have at last cracked my problem of permissions and owner in Linux . This site has the best description of chmod I have seen maybe of interest to others with similar problems.
what problem did you have with permissions? Usually starting from script (so they’re already correct) and updating as usual with npm does not change them…
i know what 777 (and 666 🙂 ) means, as a long time “penguin”, and both are “evil” in the eyes of a unix taleban… better to use 775 and 664, and change the group of the desired files/folders accessible to that group (in which put the owner of the files/folders), than opening the “legs” to the full world…
but as i’m a pragmatic penguin and i know 99% of these installs are just for us (even wives use the ending part of all this work and regret if something is wrong, but don’t mess with filesystems), and none will ever access our consoles, well, then even 777 and 666 can be useful in extreme cases…
but KNOWING what those little numbers are is just good, you’re right in pointing at articles like that…
Try
sudo tcpdump -v port 67
and then switch the device on. You should pick up the broadcast DHCP DISCOVER and REQUEST packages. All the information should be displayed.
Here’s an example:
# tcpdump -np -v port 67
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:23:53.426801 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 336)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:dd:c2:0d:ec:14, length 308, xid 0xcbf9ab86, Flags [none]
Client-Ethernet-Address bc:dd:c2:0d:ec:14
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
MSZ Option 57, length 2: 1500
Hostname Option 12, length 10: “ESP_0DEC14”
Parameter-Request Option 55, length 12:
Subnet-Mask, Default-Gateway, BR, Domain-Name-Server
Domain-Name, Netbios-Name-Server, Netbios-Node, Netbios-Scope
Router-Discovery, Static-Route, Classless-Static-Route, Vendor-Option
22:23:53.435853 IP (tos 0x0, ttl 255, id 1, offset 0, flags [none], proto UDP (17), length 336)
0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:dd:c2:0d:ec:14, length 308, xid 0x7bc2029, Flags [none]
Client-Ethernet-Address bc:dd:c2:0d:ec:14
Vendor-rfc1048 Extensions
Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Request
MSZ Option 57, length 2: 1500
Requested-IP Option 50, length 4: 192.168.31.45
Server-ID Option 54, length 4: 192.168.31.61
Parameter-Request Option 55, length 12:
Subnet-Mask, Default-Gateway, BR, Domain-Name-Server
Domain-Name, Netbios-Name-Server, Netbios-Node, Netbios-Scope
Router-Discovery, Static-Route, Classless-Static-Route, Vendor-Option
Hostname Option 12, length 10: “ESP_0DEC14”
In the above case the device has been given IP 192.168.31.45
great! Googling this i’ve found a more concise version (https://www.algissalys.com/tech-notes/dhcp-filters-using-tcpdump-to-extract-ip-and-mac-address):
sudo tcpdump -l -s 0 -n -vvv ‘((udp port 67) and (udp[8:1] = 0x1))’ | grep -E -i ‘requested-ip|client-id’
which produced:
tcpdump: listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes
Client-ID Option 61, length 7: ether f4:60:e2:xx:xx:xx
Requested-IP Option 50, length 4: 192.168.1.233
My network is a bit more complex to rely on a single scanner. With 3 different isolated vlans (my own lan, guest, IOT devices), I am relying on my little yet powerful Ubiquiti Edgerouter.
With a single script (https://community.ubnt.com/t5/EdgeRouter/DHCP-on-lease-script/td-p/1099275), I managed to change the script to call a Node Red web hook and from there, it’s magic. Email notification, turn on a light, play “Welcome back – guest” to one of my returning friends. I use Pushbullet too.
VERY basic flow to have those devices in nodered, instead of a separate page…
i’m using this command line to generate the json every minute, under the folder which is shared by home assistant (same as the static folder of nodered, feel free to change the path accordingly and of course the url)
sudo fing -n 192.168.1.254/24 –session /usr/share/hassio/homeassistant/www/session.txt -o table,json,/usr/share/hassio/homeassistant/www/devices.json
which will give me this json url: http://192.168.1.254:8123/local/devices.json
this is the flow, calling http://192.168.1.254:1880/aa will give you the page as in screenshot (you need to add to your nodes the TABLEIFY one: https://flows.nodered.org/node/node-red-contrib-tableify )
[{“id”:”34274c82.e85ad4″,”type”:”http request”,”z”:”cc5d8856.f54218″,”name”:””,”method”:”GET”,”ret”:”txt”,”url”:”http://192.168.1.254:8123/local/devices.json”,”tls”:””,”x”:280,”y”:400,”wires”:[[“872ee485.f55f68”]]},{“id”:”872ee485.f55f68″,”type”:”json”,”z”:”cc5d8856.f54218″,”name”:””,”property”:”payload”,”action”:””,”pretty”:false,”x”:460,”y”:420,”wires”:[[“e4d49afc.d35e78”]]},{“id”:”e4d49afc.d35e78″,”type”:”tableify”,”z”:”cc5d8856.f54218″,”name”:””,”before”:””,”after”:””,”tableStyle”:””,”theadStyle”:””,”tbodyStyle”:””,”trStyle”:””,”tdStyle”:””,”x”:580,”y”:340,”wires”:[[“4259c68b.d5b018”]]},{“id”:”4259c68b.d5b018″,”type”:”http response”,”z”:”cc5d8856.f54218″,”name”:””,”statusCode”:””,”headers”:{},”x”:740,”y”:340,”wires”:[]},{“id”:”851e49c7.be5bd8″,”type”:”http in”,”z”:”cc5d8856.f54218″,”name”:””,”url”:”/aa”,”method”:”get”,”upload”:false,”swaggerDoc”:””,”x”:130,”y”:340,”wires”:[[“34274c82.e85ad4”]]}]
and of course instead of an url you can even use a file node to access the actual json file on filesystem, just change the flow accordingly…
If your router supports SNMP, you can use that to query connected devices. A simple script can periodically query the router for a list of connected devices and track recently connected ones. There may be a way to directly list recently connected devices and/or show the time they were connected, I’m not sure.
I use a similar query with SNMP to determine when people are home, by checking whether or not their phone is connected to wifi.
I just list my current DHCP leases on the router by time left until expiration. You can then see which devices grabbed the most recent addresses. Simple on a Mikrotik, I assume there’s a table on most other routers?
i installed fing on my system and added this line to /etc/rc.local (before last exit 0):
sudo fing -n 192.168.1.254/24 –session /home/pi/.node-red/public/session.txt -o table,html,/home/pi/.node-red/public/devices.html &
/home/pi/.node-red/public is the folder defined in settings.json using Pete’s script for static content served by nodered via http
then i just point my browser to http://ip:1880/devices.html and have my devices right there…
you can also put same file under /var/www/html and have it server by apache, choice is up to you
p.s.: once downloaded the fing .zip file from original site and installed the correct deb file using dpkg, it complained about a missing lib… a little google search will help you to find it out which one and how to install…
I looked here for fing on pi – https://community.spiceworks.com/how_to/45386-raspberry-pi-with-tightvnc-and-fing-for-network-monitoring – overlooksoft site is dead.
Got anything specific, Antonio – for fing install in pi? If so I’ll give this a shot.
old install that you’ve found…
download latest linux zip file and uncompress it:
wget https://www.fing.com/images/uploads/general/CLI_Linux_Debian.zip
unzip CLI_Linux_Debian.zip
check your architecture, should be something similar to armXXX for raspberry:
uname -r && ls fing*deb
so usually you should install this package:
sudo dpkg -i fing-5.3.3-arm64.deb
if it complains, try the previous package:
sudo dpkg -i fing-5.3.3-armhf.deb
try running fing
sudo fing
if it complains about missing libs, tell me what and we’ll see, btw i think this is needed:
sudo apt-get install -y libpcap-dev
Fing is the best Peter or wireshark. But mainly Fing as got a new device from Kmart Australia. It look like sonoff, but used phillips Hue bridge. Also uses the good old esp8266 chip. The software it used was Genio very much like Ewelink too. Anyway Fing on Android is the go.
Can’t your router email you any changes to the network?
My Fritzbox sends me emails about what’s changed.
So if I connect a new ESP, it sends me the IP-address, hostname and MAC. (+ time ofcourse)
Fing is also possible to keep track of changes since last scan, but I find the app to be a lot less useful lately. It used to work way better. Not sure what changed (Android or Fing), but now it messes up my found devices since it no longer recognizes a different network. So I do see all devices from work in my own list. It used to be working pretty fine.
as said, you can install fing on same box of your nodered or whatelse and have it populate a db or output a json or other formats file, it works well and does not mess with other networks, of course 🙂
No I don’t think my main router (Vodaphone One) can email me about changes.
I use pi.hole on my network for Ad blocking and also DHCP. I then use node-red on the same Raspberry Pi to look at the arp entries and that gives me presence detection.
It would not be too hard to write the list of MACs and IPs to a database with a timestamp.
i see FING can produce a wide sample of outputs, txt, html, csv, xml, even json, so should not be difficult to use that, too
in the middle of this page there’s a perl script which can be scheduled to run and adds discovered device to an sqlite db, maybe this is even better for Peter, so he can interact with it via nodered: https://makezine.com/projects/build-raspberry-pi-network-scanner/
otherwise, when i attach a new device in my network, i just use FING from smartphone… if you register an account you can even know what was there and not anymore, and what’s new…
https://play.google.com/store/apps/details?id=com.overlook.android.fing
it has even many developer tool which can be downloaded to do custom apps:
https://www.fing.com/products/development-toolkit/
just tried my network, fing seems very nice 😀
i installed the CLI windows version on previous links, then run in console:
fing -o table,html,test.html
this produces an html page named test.html which is updated every minute (you can change this with other switches on command line, i suppose), so you just need to open it and wait: no need to hit f5 in browser, as page has an automatic refresh every 60s… can run on linux, too, and as a service in windows… tons of other options, too
this command will ask you what to do, live:
fing –interactive
look here: https://www.youtube.com/watch?v=WGtwrL2-0n8
how to install fing on raspberry: https://help.fing.io/knowledge-base/steps-installation-process/
command line help: https://www.real-world-systems.com/docs/fing.1.html
but if you run the interactive version and answer its questions, it will give you the complete command line to run, so you just need to copy that in some starting up file like rc.local (DON’T forget to add an ampersand at the end of the command line to put the running process in background, or you’ll never reach your prompt login otherwise!)
Sorry for the stupid question but where does it host the test.html page, I’ve tried to find it without success!
what?
Sorry, I added the reply under the wrong post, I was wondering how to view the test.html page you created in the previous post, I’ve run the same command on my Pi.
I recall reading about the FingBox and thinking that it must work in a similar manner to a device I played with a few years back called “Circle with Disney”. Circle was basically a small box that used ARP spoofing in order to force all network traffic to route through itself enroute to their original destinations. As a result, you are able to monitor, filter, and (naturally) detect any new devices on the network – – and as a bonus…. control your kids’ internet surfing and access as a result. Another bonus is that it would send notifications to your mobile phone alerting you to the presence of any new devices on the network. Perhaps worth checking out although the FingBox does seem to be more specifically tailored to network security as opposed to traffic filtering. The first generation Circle units which don’t require a monthly subscription can occasionally be found on eBay. Avoid the 2nd gen units though as I understand they changed their revenue model to a rent-seeking one.
Regards from Switzerland…
– John
we can use the flow i published a few days ago, as said i got it working with little tweaks… it does MUCH more, it shows a lot of info about tasmota and espeasy devices and allows to update them, but we can reduce that flow to do just device detection, it already works as said, but requires both nmap and sqlite to store the actual devices found and update the list with new ones…
https://tech.scargill.net/sonoff-tasmota-and-alexa/#comment-47827
Tail your DHCP server logs?
My router runs OpenWRT, so getting the dnsmasq log is trivial. Many routers can log to a syslog server, eg on a Pi, so getting their logs should be doable as well.
arpwatch will alert on any new MAC addresses seen, could run that on a Pi too. Would also catch static IP addresses.
Sort ‘order’ by ‘last change’. Youcan also get notified if there is something new on your network.
Android fing would not pick up on my ESP hostnames… however, yes, command line fing on the PC does indeed work, second sweep returns only new devices…. excellent.
Thanks, all.
you can have it running on raspberry so you have the html page always updated and available… or feed an exec node with an inject one which scans on request, but you need to give a file to store/retrieve previous scans on command line to have it working reliably
i can help once back home, in case…
Can you have fing run on pi and inform you of changes on the network?
mmm, probably… but i think if i’ve time i’ll strip out the NMAP network scan part from the flow which is just a few comments below this (that ET DISPLAY HOME), and try to make a dashboard ui just with that, without the tasmota and espeasy parts… as it already works, why reinvent the wheel?
Very true, must reset up my pi. Pop it away. The updates will be a killer.
the other method usable is the tcpdump command in last comments here… i use that now, when connecting a new device, i put in to monitor udp port 67, as soon as a dhcp request (with mac) is followed by an offer (with ip), i get both immediately…
you can even add an “udp listener” node in a flow, on udp port 67, and pipe it to a debug node, but of the 3 modes selectable in that node, none of them produced a readable output, i didn’t go further in investigating that…
I use a program called ‘Whois on my WiFi’. Whenever it sees a new device it notifies you. It’s at https://whofi.com/agents/windows/
I use an old version of Fing on my Android phone.
I tend to use Fing on an Android tablet to search for devices (new and old), but I do use nmap from time to time. Here’s a quick ‘n’ dirty way to find new IPs:
$ sudo nmap -sP 192.168.1.0/24 -oG – | grep “^Host” > file1
(turn on your new device)
$ sudo nmap -sP 192.168.1.0/24 -oG – | grep “^Host” > file2
$ diff file1 file2
Not the easiest but how about using Angry IP scanner(https://angryip.org/about/), export to CVS and later when you run it again and save to update-CVS you can diff the two CVS files to see the new or missing devices.
You might ask the author about the new ‘diff’ feature. For example, having quick save to a default.cvs file and when run again, if it sees that file it then does a diff and the new scan presents the new IP devices highlighted. Quiting will ask for a quick save/update to the default.cvs file so the next run can again show new devices.
You might be able to modify this code to do what you want:
https://github.com/initialstate/pi-sensor-free-presence-detector/wiki
Ed