Add local network scanning feature (ARP)

[DL6ER]

What does this implement/fix?

Add a new network scanning feature that uses the ARP protocol to discover IPv4 hosts on the local network. Its main purpose will be to detect IP conflicts when more than one device claims the same address. Secondary use cases can be scanning for currently unused addresses as well as some kind of reliability test for the responsiveness of devices.

The arp-scan feature can be invoked via pihole-FTL arp-scan and will be default scan any /24 (or smaller) networks. When invoking it as pihole-FTL arp-scan -a, the CIDR limitations is not made and all networks are scanned. Note, however, that this can take considerably more time as every IP address needs to be scanned individually so scanning, e.g. 127.0.0.1/8 means 16777216 individual addresses need to be probed.

The result will either be

No devices found on interface wg0 (192.168.4.1/24)

or a list of found devices, e.g.,

IP address       Interface  Hostname                 MAC address        Reply matrix
192.168.2.1      enp2s0     fritz.box                3c:a6:2f:35:34:95  X X X X X X X X X X
192.168.2.2      enp2s0     fritz.7590               3c:a6:2f:36:1f:48  X X X X X X X X X X
192.168.2.3      enp2s0     fritz.repeat             22:a6:2f:14:4a:89  X X X X X X X X X X
192.168.2.4      enp2s0     N/A                      32:3a:44:34:4f:1f  X - - - X X X X X -
...
192.168.2.107    enp2s0     Teufel.lan               c8:c9:a3:23:18:f3  - - - - - X - - X -
...

The first three columns should be pretty self-explanatory, the reply matrix needs a bit of clarification. By default, FTL performs 10 individual ARP scans. Every time a device replies, it is marked with X. When no reply is received, - is printed instead. In the example above, the first three devices are connected via Ethernet (cable). They responded to every request. The fourth device is a device connected via WiFi. You can see here that not every packet was delivered (there is no method for resending "lost" ARP packets). The fifth device is at the edge of the WiFi signal coverage. It replied only to two out of ten requests (20% link "quality").

Whenever there is a conflict, this will be clearly accompanied by a warning such as:

...
192.168.2.4      enp2s0     N/A                      d0:44:71:41:81:44  X X - - - - X X X X
192.168.2.4      enp2s0     N/A                      32:3a:44:34:4f:1f  X - - - X X X X X -
WARNING: Received multiple replies for 192.168.2.4
...

Related issue or feature (if applicable): N/A

Pull request in docs with documentation (if applicable): N/A

---

By submitting this pull request, I confirm the following:

1. I have read and understood the contributors guide, as well as this entire template. I understand which branch to base my commits and Pull Requests against.
2. I have commented my proposed changes within the code.
3. I am willing to help maintain this change if there are issues with it later.
4. It is compatible with the EUPL 1.2 license
5. I have squashed any insignificant commits. (git rebase)

Checklist:

• The code change is tested and works locally.
• I based my code and PRs against the repositories developmental branch.
• I signed off all commits. Pi-hole enforces the DCO for all contributions
• I signed all my commits. Pi-hole requires signatures to verify authorship
• I have read the above and my PR is ready for review.

[yubiuser]

Is it expected that I need sudo to run this new command? Otherwise I get

pi@s740:~$ pihole-FTL arp-scan
Discovering IPv4 hosts on the network using the Address Resolution Protocol (ARP)...

Skipped interface lo (127.0.0.1/8)
Unable to create socket for ARP communications on interface eno1: Operation not permitted
Skipped interface docker0 (172.17.0.1/16)
Unable to create socket for ARP communications on interface wg0: Operation not permitted
Skipped interface br-8f8a772de3d9 (192.168.32.1/20)
Skipped interface br-cdc97c33a83b (172.20.0.1/16)

[yubiuser]

A few remarks.

1. Skipped interface docker0 (172.17.0.1/16)
   Can you print somewhere in the output why it was skipped. Something like: "Skipped interface because it's outside of /24. Use -a to scan all IP addresses."
2. In the verbose output the ordering is confusing, as it says it's scanning, then some other interfaces are skipped and finally the result is printed. I would expect a consecutive scanning and corresponding output.

Skipped interface lo (127.0.0.1/8)
Scanning interface eno1 (10.0.1.5/24)...
Skipped interface br-8f8a772de3d9 (192.168.32.1/20)
Scanning interface wg0 (10.0.40.1/24)...
Skipped interface docker0 (172.17.0.1/16)
Skipped interface br-cdc97c33a83b (172.20.0.1/16)
No devices found on interface wg0 (10.0.40.1/24)
ARP scan on interface eno1 (10.0.1.5/24) finishe

3. When not in verbose mode, there is no indication that the scan is still running. It can take a few seconds to finish the scan whee nothing seems to happen. Maybe we don't need the verbose mode but add the extra output by default?

4. Your warning showed a duplicate entry with two devices using the same IP (but different MAC). I also got a warning, but no duplicate entries. What does this mean?

10.0.1.59        eno1       N/A                      3c:97:0e:13:36:c0  X X X X X X X X X X
10.0.1.68        eno1       N/A                      b8:27:eb:33:0b:31  X X X X X X X X X X
WARNING: Received multiple replies for 10.0.1.68
10.0.1.71        eno1       N/A                      dc:a6:32:a4:9c:a4  X X X X X X X X X X

[DL6ER]

@yubiuser Thanks for your review.

sudo is required: Yes and No. More on the No side, actually.
Scanning the network is a low-level network operation that need raw access to the network interfaces. Only root can do this. However, being equipped with the capabilities FTL gets added, it should be able to do this without root. But this applies only to properly installed pihole-FTL binaries not, e.g., ones simply downloaded from the binary server.

1. I had this initially but it makes the output less readable. Maybe we print once "Networks larger than /24 will be skipped unless -a is specified"-like?

2. This is not really possible. Scanning the network is a rather time-consuming endeavor. Hence, we multi-thread the entire process. FTL launches individual threads - one for each interface to be scanned. The logging behavior of these threads is now more or less random, they will print in the order the CPU schedules computing time for them. In modern computers, they may all run at the same time.

3. There is no progress report because each thread would have to report progress individually and this is then going to fill your screen rather quickly as you may have five individual threads printing progress independent from one another. Even if we print only every 10% progress, this would quickly escalate to printing 5*10 = 50 lines of text. To make this a bit clearer, I just added progress reporting in -v mode.

4. "Received multiple replies for 10.0.1.68" is a rather interesting result. It means that we received more than one reply in at least one of the scans. The issue I have demonstrated in my own local tests that is when you have two devices with identical MAC addresses claiming the same IP address. This has happened to me once with two Raspberry Pis with identical SD cards where the MAC has been configured manually. Another time this happened to me with two ESP8266 which (by pure chance!) really had the same MAC by factory and have been really unreliable on the WiFi.

   However, this could also happen if the system sent out an ARP request to the same device during the test and FTL receives both replies (one to the request it made itself and then one to the system's request FTL isn't aware of). This could be ignored in this case, however, there is no way (except running the arp-scan again a bit later) to safely asses this is the case.

   edit I furthermore ensured we are printing different warnings if we received multiple replies from (apparently) the same device or if we received replies for the same address from different MAC addresses to hopefully reduce confusion. Could you test again in your network?

I could completely rewrite the entire output to be routed through the "mother process" rather than through the individual threads to make the output more ordered and to also add some progress indication. However, it would actually be a lot of work and make the code a lot less easy to read and maintain because we never really print but would have to send some stuff indirectly through shared memory to the main process from each thread. What do you think? If you think this is still necessary,

[yubiuser]

Mhh.. I checkout the branch which triggers a service restart which itself should set the capabilities. I will see now after running -up.

1. Printing it once would be enought.
2. Ok

3. To make this a bit clearer, I just added progress reporting in -v mode.
   I'll check.

4. It's an RPi (3 I think) wich has only wifi connection.

[yubiuser]

Still sudo required.

 [✓] Update complete! 

  Current Pi-hole version is development v5.16.2-44-g614554f2
  Current AdminLTE version is devel v5.19-48-g800ec66d
  Current FTL version is new/arp-scan vDev-1e0f20b
pi@s740:~$ pihole-FTL arp-scan
Discovering IPv4 hosts on the network using the Address Resolution Protocol (ARP)...

Unable to create socket for ARP communications on interface wg0: Operation not permitted
Unable to create socket for ARP communications on interface eno1: Operation not permitted
Skipped interface docker0 (172.17.0.1/16)
Skipped interface lo (127.0.0.1/8)
Skipped interface br-8f8a772de3d9 (192.168.32.1/20)
Skipped interface br-cdc97c33a83b (172.20.0.1/16)
pi@s740:~$ pihole restartdns 
  [✓] Restarting DNS server
pi@s740:~$ pihole-FTL arp-scan
Discovering IPv4 hosts on the network using the Address Resolution Protocol (ARP)...

Skipped interface lo (127.0.0.1/8)
Unable to create socket for ARP communications on interface wg0: Operation not permitted
Unable to create socket for ARP communications on interface eno1: Operation not permitted
Skipped interface br-8f8a772de3d9 (192.168.32.1/20)
Skipped interface docker0 (172.17.0.1/16)
Skipped interface br-cdc97c33a83b (172.20.0.1/16)

[yubiuser]

It seems this one is sending multiple replies.

10.0.1.68        eno1       N/A                      b8:27:eb:33:0b:31  X X X X X X X X X X
WARNING: Received multiple replies for 10.0.1.68 in 1 scan

.59 and .182 are the same Laptop, connected by ethernet and wifi

10.0.1.59        eno1       N/A                      3c:97:0e:13:36:c0  X X X X X X X X X X
10.0.1.59        eno1       N/A                      80:86:f2:9c:57:16  - - - - - - - X - -
WARNING: Received replies for 10.0.1.59 from 2 devices
10.0.1.68        eno1       N/A                      b8:27:eb:33:0b:31  X X X X X X X X X X
10.0.1.71        eno1       N/A                      dc:a6:32:a4:9c:a4  X X X X X X X X X X
10.0.1.182       eno1       N/A                      3c:97:0e:13:36:c0  X X X X X X X X X X
10.0.1.182       eno1       N/A                      80:86:f2:9c:57:16  - - - - - - - X - -
WARNING: Received replies for 10.0.1.182 from 2 devices

[yubiuser]

I like that. I stil think the verbose mode could be the default

Skipped interface docker0 (172.17.0.1/16)
Skipped interface br-cdc97c33a83b (172.20.0.1/16)
Skipped interface br-8f8a772de3d9 (192.168.32.1/20)
Still scanning interface eno1 (10.0.1.5/24) 0%...
Still scanning interface wg0 (10.0.40.1/24) 0%...
No devices found on interface wg0 (10.0.40.1/24)
Still scanning interface eno1 (10.0.1.5/24) 10%...
Still scanning interface eno1 (10.0.1.5/24) 20%...
Still scanning interface eno1 (10.0.1.5/24) 30%...
Still scanning interface eno1 (10.0.1.5/24) 40%...
Still scanning interface eno1 (10.0.1.5/24) 50%...
Still scanning interface eno1 (10.0.1.5/24) 60%...
Still scanning interface eno1 (10.0.1.5/24) 70%...
Still scanning interface eno1 (10.0.1.5/24) 80%...
Still scanning interface eno1 (10.0.1.5/24) 90%...

[DL6ER]

I'm actually working on consolidating the output ...

[yubiuser]

There is a bit of duplicate in the new output

Discovering IPv4 hosts on the network using the Address Resolution Protocol (ARP)...

0%... 0%... 10%... 20%... 30%... 40%... 50%... 60%... 60%... 70%... 80%... 90%... 100%%

Second run

Discovering IPv4 hosts on the network using the Address Resolution Protocol (ARP)...

0%... 0%... 10%... 20%... 20%... 30%... 40%... 50%... 60%... 70%... 70%... 80%... 90%... 100%%

Notice also the extra final %

---

It's worse with -a

0%... 0%... 8%... 12%... 20%... 28%... 32%... 38%... 46%... 50%... 56%... 64%... 66%... 72%... 76%... 76%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 80%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 82%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 84%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 86%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 88%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 90%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 92%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 94%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 96%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 98%... 100%%

[rdwebdesign]

I tested the branch inside a nightly container.

The duplication is happening: 100%%.

Also, the interface name is very strange: &hԵghԵc (it should be eth0). Apparently it is using the wrong encoding.

Edit:
Actually, the interface name changes every time I run the command: &hԵghԵc, &յgյc, &gc, &ԵgԵc...

[DL6ER]

I changed the progress output, it should be less crowded but still show some updates every second.

@rdwebdesign This is interesting, I can only assume the interface name is somehow not set at all and the docker kernel returns a random (but non-empty) string for the name. Which networking mode did you use? Does it happened with other modes, too? I have not tried it inside a container. My assumption would be that the inside of the container does not have sufficient permission to do the scanning on the host's networking interface. I'd be a possibility to sniff traffic from the host inside the container, otherwise.

[rdwebdesign]

Which networking mode did you use?

macvlan

Does it happened with other modes, too?

I didn't test using other modes, but I can do it later.

I can only assume the interface name is somehow not set at all and the docker kernel returns a random (but non-empty) string for the name.
...
My assumption would be that the inside of the container does not have sufficient permission to do the scanning on the host's networking interface.

I'm not sure what's wrong, but I think the container always has the same interface name.

This is the output of ip neigh inside the container (192.168.0.201 is the IP for another container):

192.168.0.201 dev eth0 lladdr <mac_address> REACHABLE
192.168.0.1 dev eth0 lladdr <mac_address> REACHABLE

For testing purposes I installed net-tools and executed arp. The interface is also reported as eth0.

Also, the debug log always shows the correct interface.

[yubiuser]

Nice:

pi@s740:~/unbound-docker/data$ pihole-FTL arp-scan
Error: Insufficient permissions or capabilities (needs CAP_NET_RAW). Try running as root (sudo)

Error scanning interface wg0 (10.0.40.1/24): Protocol not supported

[yubiuser]

The number of Xshown on -x(treme) is a bit...overwhelming

ARP scan on interface docker0 (172.17.0.1/16) finished
IP address       Interface        Hostname                 MAC address        Reply matrix
172.17.0.1       docker0          N/A                      02:42:22:9c:a4:d2  X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X (100%)
172.17.0.2       docker0          N/A                      02:42:ac:11:00:02  X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X X (100%)

[rdwebdesign]

The number of Xshown on -x(treme) is a bit...overwhelming

I agree.

Maybe we should replace the "Replay Matrix" with "Reply %" (even for normal scans).

Something like this:

IP address       Interface        Hostname                 MAC address        Reply %
172.17.0.1       docker0          N/A                      02:42:22:9c:a4:d2  100%
172.17.0.2       docker0          N/A                      02:42:ac:11:00:02  92% (8 packages lost)

[rdwebdesign]

The new "Reply Rate" looks a lot better than the matrix, specially when using the -x option.

[AJ]

I still need to sudo to use this command. I get the following if I don't use Sudo:

pi@raspberrypi:~ $ pihole-FTL arp-scan -v
Error: Insufficient permissions or capabilities (needs CAP_NET_RAW). Try running as root (sudo)

When I do run this with Sudo, I get N/A for almost all hostnames (except for two clients that I have named in hosts and the pihole itself. Pihole is also the only DHCP server on my network:

$ sudo pihole-FTL arp-scan -v
Discovering IPv4 hosts on the network using the Address Resolution Protocol (ARP)...

. 9% . 19% .. 29% . 39% . 49% .. 59% . 69% . 79% .... 89% . 99% .100%

ARP scan on interface eth0 (192.168.0.6/24) finished
IP address       Interface        Hostname                 MAC address        Reply rate
192.168.0.1      eth0             N/A                      XX:XX:XX:XX:5f:2d  100 %
192.168.0.2      eth0             switch                   XX:XX:XX:XX:c5:a2  100 %
192.168.0.3      eth0             N/A                      XX:XX:XX:XX:6a:9f  100 %
192.168.0.4      eth0             N/A                      XX:XX:XX:XX:6a:c7  100 %
192.168.0.5      eth0             dlinkrouter              XX:XX:XX:XX:01:ea  100 %
192.168.0.6      eth0             pi.local                 XX:XX:XX:XX:eb:af  100 %
192.168.0.7      eth0             N/A                      XX:XX:XX:XX:da:c8  100 %
192.168.0.123    eth0             N/A                      XX:XX:XX:XX:32:c7   20 %
192.168.0.150    eth0             N/A                      XX:XX:XX:XX:4b:ed  100 %
192.168.0.176    eth0             N/A                      XX:XX:XX:XX:b5:09   90 %
192.168.0.181    eth0             N/A                      XX:XX:XX:XX:cd:7b   40 %
192.168.0.196    eth0             N/A                      XX:XX:XX:XX:30:7e   20 %
192.168.0.199    eth0             N/A                      XX:XX:XX:XX:06:39   10 %

How can I get the hostnames displayed in the output of this command?

[yubiuser]

I still need to sudo to use this command. I get the following if I don't use Sudo:

This is the expected and correct behaviour since we switched to the native systemd service file.

[jfb-pihole]

We will need to update the man page for pihole-FTL to describe this function and provide the proper command syntax.

[AJ]

@yubiuser is N/A value for the hostname the correct behaviour?
@jfb-pihole Agreed.

[DL6ER]

How can I get the hostnames displayed in the output of this command?

is N/A value for the hostname the correct behaviour?

pihole-FTL arp-scan uses the system's resolver configured in /etc/resolv.conf. If that is not your Pi-hole but something else (e.g. the router), name resolution will not work if your router does not know the hostnames. You'd first have to change the resolver used by the system to your Pi-hole (likely 127.0.0.1).

[AJ]

@DL6ER The Pihole is the DHCP server (Resolver?)? Is there something else that I need to change?

[DL6ER]

@AJ Check /etc/resolv.conf is it says nameserver 127.0.0.1. If not you need to configure your Pi-hole to use itself as DNS server (this is not the default). You should be able to do this in the same place where you specified its static IP address.

[AJ]

@AJ Check /etc/resolv.conf is it says nameserver 127.0.0.1. If not you need to configure your Pi-hole to use itself as DNS server (this is not the default). You should be able to do this in the same place where you specified its static IP address.

@DL6ER I'm sorry. I don't know how to do this? I do remember configuring the Pihole address somewhere but it was a while ago so I don't remember where exactly I'd set the Pihole's static IP. I also removed all static entries from my router when I changed the DHCP server to the Pihole

On my Pihole, /etc/resolv.conf has two nameserver entries (with Cloudflare's IPs against them). I'm also not sure why this is as I have Quad9 as my DNS servers in the Pihole Admin interface.

Should I replace the entries in /etc/resolv.conf or make a change elsewhere?

[DL6ER]

@AJ This is a general system configuration problem and nothing really related to this issue. The answer to your question will depend on a few more bits and pieces (e.g. operating system, is this a Raspberry Pi, ...) and cannot be answered without. It would clutter this thread without any real benefit for future readers. I'd strongly suggest you open a discussion on our forum https://discourse.pi-hole.net where we have thousands of users with all kinds of systems so your particular issue can really be best resolved there. I will hide the posts in this discussion at some point.

[Danathar]

hostname

I can verify the same issue. I didn't get any hostnames either.

[DL6ER]

@Danathar as said above, this is not an issue but comes from the particular configuration of your machine running Pi-hole. If you did not set up your Pi-hole to use itself as resolver during static IP configuration, this is expected and correct.

[Danathar]

Yea, I see my mistake now. I had my resolver set wrong in /etc/resolv.conf.On Jun 17, 2023, at 7:21 AM, DL6ER ***@***.***> wrote: @Danathar as said above, this is not an issue but comes from the particular configuration of your machine running Pi-hole. If you did not set up your Pi-hole to use itself as resolver during static IP configuration, this is expected and correct. —Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>