• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Best way to monitor when a device connects and disconnects to network?

DHCP and DNS
arp dhcp
5
11
1.6k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    Slyke
    last edited by Jul 8, 2023, 9:21 AM

    I want to monitor when a device connects and disconnects to the network. Some of the devices won't reply to ping, and so the next best way I figured is to monitor the ARP table with something like /usr/sbin/arp --libxo json -a.

    I can see on the diagnostics screen that ARP entries last around 20 minutes, and that the DHCP status screen doesn't realise they are offline until the ARP timeout expires and that entry is removed.

    I can also run /usr/sbin/arp -d -a to delete all entries.

    I have a feeling that it's not a good idea to be clearing the ARP table every minute or so. Is there a better way to achieve this? Perhaps a script that first attempts to ping the device, then deletes the ARP entry if there's less than X time on the entry, and that script runs once every 2ish minutes?

    H J 2 Replies Last reply Jul 8, 2023, 9:42 AM Reply Quote 0
    • H
      heper @Slyke
      last edited by Jul 8, 2023, 9:42 AM

      @Slyke you could reduce the time devices stay in the arp cache.

      in shell you could reduce from 1200seconds to for example 120 seconds...

      sysctl net.link.ether.inet.max_age=120
      

      this will not survive a reboot, but should be good for testing.

      S 1 Reply Last reply Jul 8, 2023, 10:30 AM Reply Quote 1
      • J
        johnpoz LAYER 8 Global Moderator @Slyke
        last edited by johnpoz Jul 8, 2023, 10:17 AM Jul 8, 2023, 10:11 AM

        @Slyke said in Best way to monitor when a device connects and disconnects to network?:

        want to monitor when a device connects and disconnects to the network

        Just because the arp cache has expired, doesn't mean the device is still not on the network. Just that pfsense has not seen any traffic from it.. I could be busy moving data between it and your nas for example..

        if you want to know if something is on the network or not, you prob want to do an actual arp scan every X amount of time you are wanting resolution at, be that 1 minute, 1 hour, etc.

        While something might not answer a ping, it would answer a arp.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • S
          Slyke @heper
          last edited by Slyke Jul 8, 2023, 10:34 AM Jul 8, 2023, 10:30 AM

          @heper What's the best way to make it permanent? Also, are there any issues with doing this? ARP packets are small, and I can't find any valid reason that decreasing this timeout would cause any issues, except maybe slightly more LAN traffic, which isn't really a problem.

          @johnpoz Yeah, not too worried about if some devices aren't detected, like my smart switches or whatever, it's mainly my phone and gf's phone for presence detection, possibly for guests (friends) too. For something like a NAS, I could always ping it, and for smart switches, they reply to http requests (Being Shellys) and pings.

          G 1 Reply Last reply Jul 8, 2023, 11:12 AM Reply Quote 0
          • G
            guile @Slyke
            last edited by Jul 8, 2023, 11:12 AM

            @Slyke Maybe DHCP leases?

            J J 2 Replies Last reply Jul 8, 2023, 3:41 PM Reply Quote 0
            • J
              JKnott @guile
              last edited by Jul 8, 2023, 3:41 PM

              @guile

              You'd need fairly short leases for that to work. A lease is valid until it expires and that has nothing to do with a device leaving the network.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • J
                johnpoz LAYER 8 Global Moderator @guile
                last edited by johnpoz Jul 8, 2023, 4:27 PM Jul 8, 2023, 4:24 PM

                @guile dhcp leases for what? While a device getting a lease for sure could tell you when something joins. There is nothing saying its going to release it when it leaves - especially with wifi devices. They just end up out of range and connect to either cell or another wifi network. Unlike a pc or laptop that might be shutdown and release the dhcp lease as it shutdown, etc..

                The best way to monitor close to real time what is on the network and what not on the network is to do a arp scan, and send out notifications for what your interested in.

                I use to do using https://www.domotz.com/ which is pretty slick, but the pricing got out of hand for home user - it use to be like 20$ a year or something for a home license - now its like 23 a month.. No thanks.. Fing is the non pro version.. But think its limited to network.

                You might be able to do some arp monitoring with zabbix - hmm I think there was a thread around here somewhere were somebody did something with that. Or maybe that was over on reddit? But there is no reason to re-invent the wheel here, sure that is something already done for this.. Be it free as in beer or with some cost.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                G 1 Reply Last reply Jul 8, 2023, 6:28 PM Reply Quote 0
                • G
                  guile @johnpoz
                  last edited by Jul 8, 2023, 6:28 PM

                  @johnpoz I use Zabbix, but he said some devices wont reply to ping.. and prob cant install zabbix agent.

                  J 1 Reply Last reply Jul 8, 2023, 7:02 PM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @guile
                    last edited by johnpoz Jul 8, 2023, 7:06 PM Jul 8, 2023, 7:02 PM

                    @guile any device will answer arp - use arp scan..

                    Something like this maybe?

                    https://github.com/rggassner/gassnerZabbixScripts/tree/master/arpMonitoring

                    Or something like this maybe

                    https://github.com/pucherot/Pi.Alert

                    not a lot of reason to re-invent wheels, if you think of doing X, someone has prob already thought of it and created something ;)

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    S 1 Reply Last reply Jul 9, 2023, 9:04 AM Reply Quote 0
                    • S
                      Slyke @johnpoz
                      last edited by Slyke Jul 9, 2023, 9:34 AM Jul 9, 2023, 9:04 AM

                      @johnpoz I agree reinventing the wheel is not a good idea, but I don't need a fully fledged app installed. I really just need to execute a script (really a mqtt or http request) when these events happens.

                      I tried getting dhcpd to use its execute() function, but since it's chrooted, cURL or wget need to be statically compiled, or all the libraries cURL or wget need, need to be moved into the chrooted environment. Even after statically compiling them, there were errors that were above my paygrade to solve. So I checked pfsense's source code to see how it determined if a host was online or offline and found that it was executing /usr/sbin/arp in one of the files.

                      I also found arpwatch, but it sends the alerts via email for some reason instead of allowing me to execute a shell script for it to run.

                      So far the best solution I've found is to setup a cronjob that runs every minute, create lockfile, execute /usr/sbin/arp use cURL to send the results somewhere, wait 5 seconds and do it again, until 55 seconds have passed then delete lockfile, then exit. I don't even need the host running pfsense to even diff the ARP changes, I just need to be able to see what's there and I can diff it elsewhere (Which will be NodeRed).

                      Pi.Alert does look nice, and I might set it up on my K8s cluster for more advanced monitoring.

                      Here's the (untested - GPT4 helped write it) script:

                      #!/bin/bash
                      
                      LOCKFILE="/tmp/arpmonitor.lock"
                      OUTPUT_FILE="/tmp/arpmonitor_output.json"
                      URL="http://w.x.y.z/abc?123=456"
                      MAX_LOOPS=15
                      MAX_TIME=55
                      WAIT_BETWEEN_LOOPS=5
                      
                      if [ -e "${LOCKFILE}" ]; then
                        echo "Lockfile exists, exiting..."
                        exit 1
                      fi
                      
                      touch "${LOCKFILE}"
                      START=$(date +%s)
                      echo "${START}" > "${LOCKFILE}"
                      
                      LOOP_COUNT=0
                      while [ $LOOP_COUNT -lt $MAX_LOOPS ] && [ $LOOP_COUNT -ge 0 ]; do
                        NOW=$(date +%s)
                        DIFF=$(( $NOW - $START ))
                      
                        if [ $DIFF -ge $MAX_TIME ]; then
                          echo "${MAX_TIME} seconds passed, exiting..."
                          rm -f "${LOCKFILE}"
                          exit 0
                        fi
                        OUTPUT=$(/usr/sbin/arp --libxo json -a)
                      
                        echo "${OUTPUT}" > "${OUTPUT_FILE}" # for debugging
                      
                        curl -X POST -H "Content-Type: application/json" -d "${OUTPUT}" ${URL} --connect-timeout 3
                      
                        LOOP_COUNT=$((LOOP_COUNT+1))
                        sleep $WAIT_BETWEEN_LOOPS
                      done
                      
                      echo "Loop failed to correctly break (Loops: ${LOOP_COUNT}). Exiting..."
                      exit 2
                      
                      
                      1 Reply Last reply Reply Quote 0
                      • S
                        Slyke
                        last edited by Slyke Jul 12, 2023, 8:29 AM Jul 12, 2023, 8:28 AM

                        Final reply to this thread for anyone in the future who needs to setup something similar:

                        I've put the full solution, including the NodeRed flow here: https://gist.github.com/Slyke/7d5b290f1d5695fdd79f5e0a08837c93

                        1 Reply Last reply Reply Quote 0
                        5 out of 11
                        • First post
                          5/11
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.