Skip to content

Instantly share code, notes, and snippets.

@cmlewis89

cmlewis89/arp-monitor.sh

Last active September 25, 2023 20:11
Show Gist options
  • Save cmlewis89/35e71284cc3c7deef8759e8f07f4e8db to your computer and use it in GitHub Desktop.
Save cmlewis89/35e71284cc3c7deef8759e8f07f4e8db to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. cmlewis89 revised this gist Feb 21, 2020. 1 changed file with 1 addition and 1 deletion.
    2 changes: 1 addition & 1 deletion arp-monitor.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -64,7 +64,7 @@ do
    fi

    # Remove all temp files
    rm -f $ARP_TABLE $ARP_MACS $ARP_MAC_COMBO $ARP_MAC_DIFF $ARP_MAC_NEW
    rm -f $ARP_TABLE $ARP_MACS $ARP_MAC_COMBO $ARP_MAC_DIFF

    # Delay before next run
    sleep 1
  2. cmlewis89 revised this gist Feb 21, 2020. 1 changed file with 17 additions and 16 deletions.
    33 changes: 17 additions & 16 deletions arp-monitor.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -9,22 +9,24 @@
    # For auto-run on login you can rename the script to a .command and add it to your Login items on Mac OS or
    # modify the script to remove the loop and take a look at crontab
    #
    # Note: Ensure you change the discord curl below to your own webhook
    # Note: Ensure you change the Discord variable below to your own webhook
    #

    #discord webhook
    DISCORD_WEBHOOK="https://discordapp.com/api/webhooks/***"

    #save
    ARP_MAC_SAVE="ARP_MAC.txt"
    #temp files
    ARP_TABLE="ARP_temp.txt"
    ARP_MACS="ARP_MAC_temp.txt"
    ARP_MAC_COMBO="ARP_MAC_combo.txt"
    ARP_MAC_DIFF="ARP_MAC_diff.txt"
    ARP_MAC_NEW="ARP_MAC_new.txt"

    while true
    do
    # Fetch a new arp output
    arp -a > $ARP_TABLE
    arp -an > $ARP_TABLE
    # Filter only mac addreses
    cat $ARP_TABLE | awk '{print $4}' | sort > $ARP_MACS

    @@ -42,22 +44,21 @@ do

    # Act on any diff
    if [ -s $ARP_MAC_DIFF ]; then
    # ensure 'new' file is deleted since we concat below
    rm -f $ARP_MAC_NEW
    # loop through new mac addresses and pull full data from ARP table
    # loop through new mac addresses
    while read -r i; do
    cat $ARP_TABLE | grep "$i" >> $ARP_MAC_NEW
    # pull full data from ARP table
    newARP=$(cat $ARP_TABLE | grep "$i")
    # attempt to pull vendor info from mac address prefix with '${i:0:8}'
    vendorAPI="https://macvendors.co/api/${i:0:8}/pipe"
    vendorID=$(curl "$vendorAPI" | awk -F'\\|' '{print $1}' | sed 's/\"//g')
    # log
    echo "Found a new client mac address: $newARP from vendor $vendorID"
    # send discord notification
    curl -H "Content-Type: application/json" -X POST -d '{"content": "**New client on network**: '"$newARP"' from vendor '"$vendorID"' "}' "$DISCORD_WEBHOOK"
    #delay before next result
    sleep 2
    done < $ARP_MAC_DIFF

    # if we have any data to send
    if [ -s $ARP_MAC_NEW ]; then
    while read -r j; do
    echo "Found a new client mac address: $j"
    curl -H "Content-Type: application/json" -X POST -d '{"content": "**New client on network**: '"$j"' "}' https://discordapp.com/api/webhooks/***
    sleep 1
    done < $ARP_MAC_NEW
    fi

    # Update old arp save
    cp -f $ARP_MAC_COMBO $ARP_MAC_SAVE
    fi
  3. cmlewis89 revised this gist Feb 21, 2020. 1 changed file with 4 additions and 1 deletion.
    5 changes: 4 additions & 1 deletion arp-monitor.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -4,7 +4,10 @@
    # inspired by https://gist.github.com/maugern/30ace2764aafc683a802de2ed82f91af
    #
    # This script is intended to start on launch and run on an always connected device on a network (eg: server).
    # It scans the network with 'arp -a' and sends a notifcation webhook whenever recognizes a new mac address on the network.
    # It scans the network with 'arp -a' and sends a notification webhook whenever recognizes a new mac address on the network.
    #
    # For auto-run on login you can rename the script to a .command and add it to your Login items on Mac OS or
    # modify the script to remove the loop and take a look at crontab
    #
    # Note: Ensure you change the discord curl below to your own webhook
    #
  4. cmlewis89 revised this gist Feb 21, 2020. 1 changed file with 2 additions and 2 deletions.
    4 changes: 2 additions & 2 deletions arp-monitor.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -3,8 +3,8 @@
    # arp-monitor, an ARP tables monitor
    # inspired by https://gist.github.com/maugern/30ace2764aafc683a802de2ed82f91af
    #
    # This script is intended to start on launch and run on a always connected device on a network.
    # It scans the network with 'arp -a' and sends a webhook when it recognizes a new mac address on the network.
    # This script is intended to start on launch and run on an always connected device on a network (eg: server).
    # It scans the network with 'arp -a' and sends a notifcation webhook whenever recognizes a new mac address on the network.
    #
    # Note: Ensure you change the discord curl below to your own webhook
    #
  5. cmlewis89 revised this gist Feb 21, 2020. No changes.
  6. cmlewis89 created this gist Feb 21, 2020.
    67 changes: 67 additions & 0 deletions arp-monitor.sh
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,67 @@
    #!/bin/bash
    #
    # arp-monitor, an ARP tables monitor
    # inspired by https://gist.github.com/maugern/30ace2764aafc683a802de2ed82f91af
    #
    # This script is intended to start on launch and run on a always connected device on a network.
    # It scans the network with 'arp -a' and sends a webhook when it recognizes a new mac address on the network.
    #
    # Note: Ensure you change the discord curl below to your own webhook
    #

    #save
    ARP_MAC_SAVE="ARP_MAC.txt"
    #temp files
    ARP_TABLE="ARP_temp.txt"
    ARP_MACS="ARP_MAC_temp.txt"
    ARP_MAC_COMBO="ARP_MAC_combo.txt"
    ARP_MAC_DIFF="ARP_MAC_diff.txt"
    ARP_MAC_NEW="ARP_MAC_new.txt"

    while true
    do
    # Fetch a new arp output
    arp -a > $ARP_TABLE
    # Filter only mac addreses
    cat $ARP_TABLE | awk '{print $4}' | sort > $ARP_MACS

    # Check if history does not already exist
    if [ ! -f $ARP_MAC_SAVE ]; then
    echo "No file $ARP_MAC_SAVE found. Copying actual ARP table."
    cp -f $ARP_MACS $ARP_MAC_SAVE
    fi

    # Add save to new fetch and removing dupes
    cat $ARP_MAC_SAVE $ARP_MACS | sort | uniq > $ARP_MAC_COMBO

    # Diff the current arp with saved history
    diff $ARP_MAC_COMBO $ARP_MAC_SAVE --ignore-all-space | grep "<" | awk '{print $2}' > $ARP_MAC_DIFF

    # Act on any diff
    if [ -s $ARP_MAC_DIFF ]; then
    # ensure 'new' file is deleted since we concat below
    rm -f $ARP_MAC_NEW
    # loop through new mac addresses and pull full data from ARP table
    while read -r i; do
    cat $ARP_TABLE | grep "$i" >> $ARP_MAC_NEW
    done < $ARP_MAC_DIFF

    # if we have any data to send
    if [ -s $ARP_MAC_NEW ]; then
    while read -r j; do
    echo "Found a new client mac address: $j"
    curl -H "Content-Type: application/json" -X POST -d '{"content": "**New client on network**: '"$j"' "}' https://discordapp.com/api/webhooks/***
    sleep 1
    done < $ARP_MAC_NEW
    fi

    # Update old arp save
    cp -f $ARP_MAC_COMBO $ARP_MAC_SAVE
    fi

    # Remove all temp files
    rm -f $ARP_TABLE $ARP_MACS $ARP_MAC_COMBO $ARP_MAC_DIFF $ARP_MAC_NEW

    # Delay before next run
    sleep 1
    done