-
-
Notifications
You must be signed in to change notification settings - Fork 197
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add local network scanning feature (ARP) #1557
Conversation
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
…atrix Signed-off-by: DL6ER <dl6er@dl6er.de>
… also here Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Is it expected that I need
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few remarks.
Skipped interface docker0 (172.17.0.1/16)
Can you print somewhere in the output why it was skipped. Something like: "Skipped interface because it's outside of /24. Use-a
to scan all IP addresses."- In the verbose output the ordering is confusing, as it says it's scanning, then some other interfaces are skipped and finally the result is printed. I would expect a consecutive scanning and corresponding output.
Skipped interface lo (127.0.0.1/8)
Scanning interface eno1 (10.0.1.5/24)...
Skipped interface br-8f8a772de3d9 (192.168.32.1/20)
Scanning interface wg0 (10.0.40.1/24)...
Skipped interface docker0 (172.17.0.1/16)
Skipped interface br-cdc97c33a83b (172.20.0.1/16)
No devices found on interface wg0 (10.0.40.1/24)
ARP scan on interface eno1 (10.0.1.5/24) finishe
-
When not in verbose mode, there is no indication that the scan is still running. It can take a few seconds to finish the scan whee nothing seems to happen. Maybe we don't need the verbose mode but add the extra output by default?
-
Your warning showed a duplicate entry with two devices using the same IP (but different MAC). I also got a warning, but no duplicate entries. What does this mean?
10.0.1.59 eno1 N/A 3c:97:0e:13:36:c0 X X X X X X X X X X
10.0.1.68 eno1 N/A b8:27:eb:33:0b:31 X X X X X X X X X X
WARNING: Received multiple replies for 10.0.1.68
10.0.1.71 eno1 N/A dc:a6:32:a4:9c:a4 X X X X X X X X X X
Signed-off-by: DL6ER <dl6er@dl6er.de>
@yubiuser Thanks for your review.
I could completely rewrite the entire output to be routed through the "mother process" rather than through the individual threads to make the output more ordered and to also add some progress indication. However, it would actually be a lot of work and make the code a lot less easy to read and maintain because we never really print but would have to send some stuff indirectly through shared memory to the main process from each thread. What do you think? If you think this is still necessary, |
…ntly) the same device or if we received replies for the same address from different MAC addresses Signed-off-by: DL6ER <dl6er@dl6er.de>
Mhh.. I
|
Still sudo required.
|
It seems this one is sending multiple replies.
|
I like that. I stil think the verbose mode could be the default
|
I'm actually working on consolidating the output ... |
Signed-off-by: DL6ER <dl6er@dl6er.de>
There is a bit of duplicate in the new output
Second run
Notice also the extra final It's worse with
|
…ned by the individual threads Signed-off-by: DL6ER <dl6er@dl6er.de>
…beat Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
…actually use this space so we need to reserve enough space here Signed-off-by: DL6ER <dl6er@dl6er.de>
I tested the branch inside a The duplication is happening: Also, the interface name is very strange: Edit: |
Signed-off-by: DL6ER <dl6er@dl6er.de>
I changed the progress output, it should be less crowded but still show some updates every second. @rdwebdesign This is interesting, I can only assume the interface name is somehow not set at all and the docker kernel returns a random (but non-empty) string for the name. Which networking mode did you use? Does it happened with other modes, too? I have not tried it inside a container. My assumption would be that the inside of the container does not have sufficient permission to do the scanning on the host's networking interface. I'd be a possibility to sniff traffic from the host inside the container, otherwise. |
macvlan
I didn't test using other modes, but I can do it later.
I'm not sure what's wrong, but I think the container always has the same interface name. This is the output of
For testing purposes I installed Also, the debug log always shows the correct interface. |
Signed-off-by: DL6ER <dl6er@dl6er.de>
Nice:
|
…nterface name Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
The number of
|
I agree. Maybe we should replace the "Replay Matrix" with "Reply %" (even for normal scans). Something like this:
|
Signed-off-by: DL6ER <dl6er@dl6er.de>
The new "Reply Rate" looks a lot better than the matrix, specially when using the |
…face scans as possible under these conditions Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
Signed-off-by: DL6ER <dl6er@dl6er.de>
I still need to sudo to use this command. I get the following if I don't use Sudo:
When I do run this with Sudo, I get N/A for almost all hostnames (except for two clients that I have named in hosts and the pihole itself. Pihole is also the only DHCP server on my network:
How can I get the hostnames displayed in the output of this command? |
This is the expected and correct behaviour since we switched to the native |
We will need to update the man page for pihole-FTL to describe this function and provide the proper command syntax. |
@yubiuser is N/A value for the hostname the correct behaviour? |
|
@DL6ER The Pihole is the DHCP server (Resolver?)? Is there something else that I need to change? |
@AJ Check |
@DL6ER I'm sorry. I don't know how to do this? I do remember configuring the Pihole address somewhere but it was a while ago so I don't remember where exactly I'd set the Pihole's static IP. I also removed all static entries from my router when I changed the DHCP server to the Pihole On my Pihole, /etc/resolv.conf has two nameserver entries (with Cloudflare's IPs against them). I'm also not sure why this is as I have Quad9 as my DNS servers in the Pihole Admin interface. Should I replace the entries in /etc/resolv.conf or make a change elsewhere? |
@AJ This is a general system configuration problem and nothing really related to this issue. The answer to your question will depend on a few more bits and pieces (e.g. operating system, is this a Raspberry Pi, ...) and cannot be answered without. It would clutter this thread without any real benefit for future readers. I'd strongly suggest you open a discussion on our forum https://discourse.pi-hole.net where we have thousands of users with all kinds of systems so your particular issue can really be best resolved there. I will hide the posts in this discussion at some point. |
I can verify the same issue. I didn't get any hostnames either. |
@Danathar as said above, this is not an issue but comes from the particular configuration of your machine running Pi-hole. If you did not set up your Pi-hole to use itself as resolver during static IP configuration, this is expected and correct. |
Yea, I see my mistake now. I had my resolver set wrong in /etc/resolv.conf.On Jun 17, 2023, at 7:21 AM, DL6ER ***@***.***> wrote:
@Danathar as said above, this is not an issue but comes from the particular configuration of your machine running Pi-hole. If you did not set up your Pi-hole to use itself as resolver during static IP configuration, this is expected and correct.
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
What does this implement/fix?
Add a new network scanning feature that uses the ARP protocol to discover IPv4 hosts on the local network. Its main purpose will be to detect IP conflicts when more than one device claims the same address. Secondary use cases can be scanning for currently unused addresses as well as some kind of reliability test for the responsiveness of devices.
The
arp-scan
feature can be invoked viapihole-FTL arp-scan
and will be default scan any /24 (or smaller) networks. When invoking it aspihole-FTL arp-scan -a
, the CIDR limitations is not made and all networks are scanned. Note, however, that this can take considerably more time as every IP address needs to be scanned individually so scanning, e.g.127.0.0.1/8
means 16777216 individual addresses need to be probed.The result will either be
or a list of found devices, e.g.,
The first three columns should be pretty self-explanatory, the reply matrix needs a bit of clarification. By default, FTL performs 10 individual ARP scans. Every time a device replies, it is marked with
X
. When no reply is received,-
is printed instead. In the example above, the first three devices are connected via Ethernet (cable). They responded to every request. The fourth device is a device connected via WiFi. You can see here that not every packet was delivered (there is no method for resending "lost" ARP packets). The fifth device is at the edge of the WiFi signal coverage. It replied only to two out of ten requests (20% link "quality").Whenever there is a conflict, this will be clearly accompanied by a warning such as:
Related issue or feature (if applicable): N/A
Pull request in docs with documentation (if applicable): N/A
By submitting this pull request, I confirm the following:
git rebase
)Checklist:
developmental
branch.