Devices recently connected to the network

Can I give the Raspberry Pi any MORE to do? This started off as a plea for help – as I could not find a way to get reliable reporting of changed devices on my network – as you’ll see, now CRACKED thanks to readers and in particular Mr Shark.

I’ve tried Glasswire on PC, Nmap on Pi and Advanced IP scanner on PC… the latter detects devices like ESP8266 on the network no problem – but could I HELL find a way to show JUST devices connected since the last scan.

So let’s say I just turned on a couple of ESP boards 5 minutes ago – I don’t yet have names for them, just dynamically created IP addresses. I can easily get a list of all the devices on the net but how do I get a list of JUST all the devices that were not online last time I checked 10 minutes ago. Advanced IP scanner is one of the best tools I’ve used yet it does NOT seem able to do this.

I also wanted to see hostnames where possible.

The solution works a treat. FING on the PI…

sudo fing -n 192.168.14.0/24 –session /home/pi/.node-red/public/session.txt -o table,html,/home/pi/.node-red/public/devices.html

See the comments about installing Fing.

If you are not running Node-Red then the files above should run in /var/www/html, incidentally.

The above with an ampersand on the end can be run in /etc/rc.local (at the very end before the last “exit 0”) and if you are running node-red and like me made a public folder under the node-red folder (see earlier stuff in the blog about the public folder) then you can access devices.html as xxx.xxx.x.x:1880/devices.html

The page gets large (working on limiting its size) so I won’t show it here but it shows a summary list of all devices on the network and their hostnames (if available) and status (UP/DOWN) then a list sorted by date/time of devices that changed state.

Facebooktwitterpinterestlinkedin

51 thoughts on “Devices recently connected to the network

  1. Not the easiest but how about using Angry IP scanner(https://angryip.org/about/), export to CVS and later when you run it again and save to update-CVS you can diff the two CVS files to see the new or missing devices.

    You might ask the author about the new ‘diff’ feature. For example, having quick save to a default.cvs file and when run again, if it sees that file it then does a diff and the new scan presents the new IP devices highlighted. Quiting will ask for a quick save/update to the default.cvs file so the next run can again show new devices.

  2. I tend to use Fing on an Android tablet to search for devices (new and old), but I do use nmap from time to time. Here’s a quick ‘n’ dirty way to find new IPs:
    $ sudo nmap -sP 192.168.1.0/24 -oG – | grep “^Host” > file1
    (turn on your new device)
    $ sudo nmap -sP 192.168.1.0/24 -oG – | grep “^Host” > file2
    $ diff file1 file2

      1. you can have it running on raspberry so you have the html page always updated and available… or feed an exec node with an inject one which scans on request, but you need to give a file to store/retrieve previous scans on command line to have it working reliably

        i can help once back home, in case…

          1. mmm, probably… but i think if i’ve time i’ll strip out the NMAP network scan part from the flow which is just a few comments below this (that ET DISPLAY HOME), and try to make a dashboard ui just with that, without the tasmota and espeasy parts… as it already works, why reinvent the wheel?

          2. the other method usable is the tcpdump command in last comments here… i use that now, when connecting a new device, i put in to monitor udp port 67, as soon as a dhcp request (with mac) is followed by an offer (with ip), i get both immediately…

            you can even add an “udp listener” node in a flow, on udp port 67, and pipe it to a debug node, but of the 3 modes selectable in that node, none of them produced a readable output, i didn’t go further in investigating that…

  3. Tail your DHCP server logs?

    My router runs OpenWRT, so getting the dnsmasq log is trivial. Many routers can log to a syslog server, eg on a Pi, so getting their logs should be doable as well.

    arpwatch will alert on any new MAC addresses seen, could run that on a Pi too. Would also catch static IP addresses.

  4. we can use the flow i published a few days ago, as said i got it working with little tweaks… it does MUCH more, it shows a lot of info about tasmota and espeasy devices and allows to update them, but we can reduce that flow to do just device detection, it already works as said, but requires both nmap and sqlite to store the actual devices found and update the list with new ones…

    https://tech.scargill.net/sonoff-tasmota-and-alexa/#comment-47827

    1. just tried my network, fing seems very nice 😀
      i installed the CLI windows version on previous links, then run in console:

      fing -o table,html,test.html

      this produces an html page named test.html which is updated every minute (you can change this with other switches on command line, i suppose), so you just need to open it and wait: no need to hit f5 in browser, as page has an automatic refresh every 60s… can run on linux, too, and as a service in windows… tons of other options, too

      this command will ask you what to do, live:

      fing –interactive

      look here: https://www.youtube.com/watch?v=WGtwrL2-0n8

      1. how to install fing on raspberry: https://help.fing.io/knowledge-base/steps-installation-process/

        command line help: https://www.real-world-systems.com/docs/fing.1.html

        but if you run the interactive version and answer its questions, it will give you the complete command line to run, so you just need to copy that in some starting up file like rc.local (DON’T forget to add an ampersand at the end of the command line to put the running process in background, or you’ll never reach your prompt login otherwise!)

          1. Sorry, I added the reply under the wrong post, I was wondering how to view the test.html page you created in the previous post, I’ve run the same command on my Pi.

  5. I use pi.hole on my network for Ad blocking and also DHCP. I then use node-red on the same Raspberry Pi to look at the arp entries and that gives me presence detection.

    It would not be too hard to write the list of MACs and IPs to a database with a timestamp.

  6. Can’t your router email you any changes to the network?
    My Fritzbox sends me emails about what’s changed.
    So if I connect a new ESP, it sends me the IP-address, hostname and MAC. (+ time ofcourse)

    Fing is also possible to keep track of changes since last scan, but I find the app to be a lot less useful lately. It used to work way better. Not sure what changed (Android or Fing), but now it messes up my found devices since it no longer recognizes a different network. So I do see all devices from work in my own list. It used to be working pretty fine.

  7. Fing is the best Peter or wireshark. But mainly Fing as got a new device from Kmart Australia. It look like sonoff, but used phillips Hue bridge. Also uses the good old esp8266 chip. The software it used was Genio very much like Ewelink too. Anyway Fing on Android is the go.

  8. i installed fing on my system and added this line to /etc/rc.local (before last exit 0):

    sudo fing -n 192.168.1.254/24 –session /home/pi/.node-red/public/session.txt -o table,html,/home/pi/.node-red/public/devices.html &

    /home/pi/.node-red/public is the folder defined in settings.json using Pete’s script for static content served by nodered via http

    then i just point my browser to http://ip:1880/devices.html and have my devices right there…

    you can also put same file under /var/www/html and have it server by apache, choice is up to you

    p.s.: once downloaded the fing .zip file from original site and installed the correct deb file using dpkg, it complained about a missing lib… a little google search will help you to find it out which one and how to install…

      1. old install that you’ve found…

        download latest linux zip file and uncompress it:
        wget https://www.fing.com/images/uploads/general/CLI_Linux_Debian.zip
        unzip CLI_Linux_Debian.zip

        check your architecture, should be something similar to armXXX for raspberry:
        uname -r && ls fing*deb

        so usually you should install this package:
        sudo dpkg -i fing-5.3.3-arm64.deb

        if it complains, try the previous package:
        sudo dpkg -i fing-5.3.3-armhf.deb

        try running fing
        sudo fing

        if it complains about missing libs, tell me what and we’ll see, btw i think this is needed:
        sudo apt-get install -y libpcap-dev

  9. I just list my current DHCP leases on the router by time left until expiration. You can then see which devices grabbed the most recent addresses. Simple on a Mikrotik, I assume there’s a table on most other routers?

  10. If your router supports SNMP, you can use that to query connected devices. A simple script can periodically query the router for a list of connected devices and track recently connected ones. There may be a way to directly list recently connected devices and/or show the time they were connected, I’m not sure.

    I use a similar query with SNMP to determine when people are home, by checking whether or not their phone is connected to wifi.

  11. VERY basic flow to have those devices in nodered, instead of a separate page…

    i’m using this command line to generate the json every minute, under the folder which is shared by home assistant (same as the static folder of nodered, feel free to change the path accordingly and of course the url)

    sudo fing -n 192.168.1.254/24 –session /usr/share/hassio/homeassistant/www/session.txt -o table,json,/usr/share/hassio/homeassistant/www/devices.json

    which will give me this json url: http://192.168.1.254:8123/local/devices.json

    this is the flow, calling http://192.168.1.254:1880/aa will give you the page as in screenshot (you need to add to your nodes the TABLEIFY one: https://flows.nodered.org/node/node-red-contrib-tableify )

    [{“id”:”34274c82.e85ad4″,”type”:”http request”,”z”:”cc5d8856.f54218″,”name”:””,”method”:”GET”,”ret”:”txt”,”url”:”http://192.168.1.254:8123/local/devices.json”,”tls”:””,”x”:280,”y”:400,”wires”:[[“872ee485.f55f68”]]},{“id”:”872ee485.f55f68″,”type”:”json”,”z”:”cc5d8856.f54218″,”name”:””,”property”:”payload”,”action”:””,”pretty”:false,”x”:460,”y”:420,”wires”:[[“e4d49afc.d35e78”]]},{“id”:”e4d49afc.d35e78″,”type”:”tableify”,”z”:”cc5d8856.f54218″,”name”:””,”before”:””,”after”:””,”tableStyle”:””,”theadStyle”:””,”tbodyStyle”:””,”trStyle”:””,”tdStyle”:””,”x”:580,”y”:340,”wires”:[[“4259c68b.d5b018”]]},{“id”:”4259c68b.d5b018″,”type”:”http response”,”z”:”cc5d8856.f54218″,”name”:””,”statusCode”:””,”headers”:{},”x”:740,”y”:340,”wires”:[]},{“id”:”851e49c7.be5bd8″,”type”:”http in”,”z”:”cc5d8856.f54218″,”name”:””,”url”:”/aa”,”method”:”get”,”upload”:false,”swaggerDoc”:””,”x”:130,”y”:340,”wires”:[[“34274c82.e85ad4”]]}]

  12. My network is a bit more complex to rely on a single scanner. With 3 different isolated vlans (my own lan, guest, IOT devices), I am relying on my little yet powerful Ubiquiti Edgerouter.
    With a single script (https://community.ubnt.com/t5/EdgeRouter/DHCP-on-lease-script/td-p/1099275), I managed to change the script to call a Node Red web hook and from there, it’s magic. Email notification, turn on a light, play “Welcome back – guest” to one of my returning friends. I use Pushbullet too.

  13. Try
    sudo tcpdump -v port 67

    and then switch the device on. You should pick up the broadcast DHCP DISCOVER and REQUEST packages. All the information should be displayed.

    Here’s an example:

    # tcpdump -np -v port 67
    tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
    22:23:53.426801 IP (tos 0x0, ttl 255, id 0, offset 0, flags [none], proto UDP (17), length 336)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:dd:c2:0d:ec:14, length 308, xid 0xcbf9ab86, Flags [none]
    Client-Ethernet-Address bc:dd:c2:0d:ec:14
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Discover
    MSZ Option 57, length 2: 1500
    Hostname Option 12, length 10: “ESP_0DEC14”
    Parameter-Request Option 55, length 12:
    Subnet-Mask, Default-Gateway, BR, Domain-Name-Server
    Domain-Name, Netbios-Name-Server, Netbios-Node, Netbios-Scope
    Router-Discovery, Static-Route, Classless-Static-Route, Vendor-Option
    22:23:53.435853 IP (tos 0x0, ttl 255, id 1, offset 0, flags [none], proto UDP (17), length 336)
    0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:dd:c2:0d:ec:14, length 308, xid 0x7bc2029, Flags [none]
    Client-Ethernet-Address bc:dd:c2:0d:ec:14
    Vendor-rfc1048 Extensions
    Magic Cookie 0x63825363
    DHCP-Message Option 53, length 1: Request
    MSZ Option 57, length 2: 1500
    Requested-IP Option 50, length 4: 192.168.31.45
    Server-ID Option 54, length 4: 192.168.31.61
    Parameter-Request Option 55, length 12:
    Subnet-Mask, Default-Gateway, BR, Domain-Name-Server
    Domain-Name, Netbios-Name-Server, Netbios-Node, Netbios-Scope
    Router-Discovery, Static-Route, Classless-Static-Route, Vendor-Option
    Hostname Option 12, length 10: “ESP_0DEC14”

    In the above case the device has been given IP 192.168.31.45

    1. great! Googling this i’ve found a more concise version (https://www.algissalys.com/tech-notes/dhcp-filters-using-tcpdump-to-extract-ip-and-mac-address):

      sudo tcpdump -l -s 0 -n -vvv ‘((udp port 67) and (udp[8:1] = 0x1))’ | grep -E -i ‘requested-ip|client-id’

      which produced:

      tcpdump: listening on enp1s0, link-type EN10MB (Ethernet), capture size 262144 bytes

      Client-ID Option 61, length 7: ether f4:60:e2:xx:xx:xx
      Requested-IP Option 50, length 4: 192.168.1.233

  14. hello Pete

    thanks for the work you and Mr.Shark have done on setting up this project.

    Have managed to get it all done as per your instructions on my setup via “The script”
    No problems except my permanent one of permissions. Have the output into a template on my node-red dashboard.
    Have at last cracked my problem of permissions and owner in Linux . This site has the best description of chmod I have seen maybe of interest to others with similar problems.
    https://www.maketecheasier.com/file-permissions-what-does-chmod-777-means/

    1. what problem did you have with permissions? Usually starting from script (so they’re already correct) and updating as usual with npm does not change them…

      i know what 777 (and 666 🙂 ) means, as a long time “penguin”, and both are “evil” in the eyes of a unix taleban… better to use 775 and 664, and change the group of the desired files/folders accessible to that group (in which put the owner of the files/folders), than opening the “legs” to the full world…

      but as i’m a pragmatic penguin and i know 99% of these installs are just for us (even wives use the ending part of all this work and regret if something is wrong, but don’t mess with filesystems), and none will ever access our consoles, well, then even 777 and 666 can be useful in extreme cases…

      but KNOWING what those little numbers are is just good, you’re right in pointing at articles like that…

  15. Hello Pete

    help required. I have set up in node-red dashboard an exec with button which I use to
    start fing running by ./fing.sh, works fine and I get a pid number, also the dashboard
    displays the table and updates every 1 minute.

    now I want to stop this by another button. The trouble for me is the PID number changes so I must kill the process by name. I tried # pkill fing but nothing happened
    and got a return 0

    Anyone an idea how to terminate this process????

  16. Hello Mr Shark
    other permission problem to make entries in rc.local have not managed that always refused
    also in my Public file the session files are owned by root, all my files are pi

    regards

  17. hello Antonio

    as you are the Linux Guru I have a problem with my fing sudo command to

    start the discovery sequence. It has upto now been working with no problem.

    Today I did an update on nodes and since then every time I do a sudo it asks me for

    the password. The exec node gives a return message of Command failed: ./fing.sh

    sudo: a password is required. I am or was pi.

    can you help?

    regards

  18. hello Antonio

    Thanks for the quick reply see attached screen clip

    echo “pi ALL=(ALL) NOPASSWD: ALL” > /etc/sudoers.d/pi

    This directory etc/sudoers/ had garbage in it no pi

    I dont know how this happen as checking all my other backup SD’s its there.

    SD card ???? bad write?

    Its only missing on this card which is now in the bin.

    will finish checking programm run and copy onto emmc

    regards and many thanks to you and Pete for all your help

  19. hello Antonio

    Iv cleared my problem with fing as per last comment.

    I decided to do one more sd card this time using your newer script.

    When I ran wget script

    root@orangepiplus2e:~# wget –no-check-certificate https://bitbucket.org/snippet s/scargill/qexexb/the-script-2019#script.sh-381
    –2019-03-03 20:03:23– https://bitbucket.org/snippets/scargill/qexexb/the-scri pt-2019
    Resolving bitbucket.org (bitbucket.org)… 2406:da00:ff00::22c5:2ef4, 2406:da00: ff00::22cd:e0db, 2406:da00:ff00::22c3:9b0a, …
    Connecting to bitbucket.org (bitbucket.org)|2406:da00:ff00::22c5:2ef4|:443… co nnected.
    HTTP request sent, awaiting response… 200 OK
    Length: 286602 (280K) [text/html]
    Saving to: ‘the-script-2019’
    This is the doc file not the sh file

    what did I do wrong in get command???

    regards

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.