Fing network scanner

Of course that you can buy original Fingbox but that was not idea.

Telegram2940×279 58 KB

Motivation

I’m not paranoid about network security, but I wanted to know if some device joins my network. Idea is that I have some tool which will scan my local network each 30 minutes and see if any new, unknown, device is present and send notification to telegram with information about that device.

Setup

I created very simple bash script which I’m running on my Raspberry Pi 3. It can be also optimized but well, it’s working

What I’m doing there?

Script runs Fing command line tool which returns CSV style table of all devices in defined network. Then for each row in that table I check if that device is present in ignoreddevices.txt file. If not then it checks knowndevices.txt file for that device and also checks if that device has still the same Ip address. This is useful if you didn’t setup static Ip address, then you will get notification if some of your devices changed Ip. Also this is useful against attacks when someone fakes your known device mac address.

Report for each device is published to MQTT.

Required libraries

First you have to install chkconfig tool.

sudo apt install chkconfig

Then you need to download Fing CLI.

https://www.fing.com/products/development-toolkit

I downloaded Fing CLI - Linux Debian - v5.5.2 zip and there you will find:

fing-5.5.2-arm64.deb which is needed for RPi 3 but there are other .deb files for all Linux distributions.

Install .deb file via dpkg or apt command:

sudo apt install path_to_deb_file

or

sudo dpkg -i path_to_deb_file

You need to install MQTT clients:

sudo apt install mosquitto-clients

and now you have all needed libraries.

Script

In network_tracker.sh script you have to put your data for:

• net - network which will Fing search (mine is 192.168.0.0/24)

• mqtt_host - host for MQTT broker

• mqtt_user - MQTT user

• mqtt_password - MQTT password

• path to knowndevices.txt and ignoreddevices.txt

network_tracker.sh:

#!/bin/bash

net=192.168.0.0/24

mqtt_host=__your_mqtt_host__

mqtt_topic=networkTracker/alert

mqtt_user=__your_mqtt_username__

mqtt_password=__your_mqtt_password__

known=__path_to_knowndevices.txt__

ignore=__path_to_ignoreddevices.txt__

dt=`date '+%FT%T'`

IFS="

"

for l in `fing -n $net -r 1 -o table,csv --silent`

do

        IFS=";"

        array=($l)

        fing_mac=${array[5]}

        fing_ip=${array[0]}

        fing_name=${array[6]}

        if [ `cat $ignore | grep $fing_mac | wc -l` -eq "1" ]

        then

                echo "$dt - $fing_mac is ignored!"

                continue

        fi

        if [ `cat $known | grep $fing_mac | wc -l` -eq "0" ]

        then

                echo "$dt - $fing_mac is not known!"

                mosquitto_pub -h $mqtt_host -u $mqtt_user -P $mqtt_password -t $mqtt_topic -m "New Mac: $fing_mac IP: $fing_ip FingName: $fing_name"

        elif [ `cat $known | grep $fing_mac | wc -l` -gt "1" ]

        then

                echo "$dt - $fing_mac has multiple records in knowndevices.txt"

                mosquitto_pub -h $mqtt_host -u $mqtt_user -P $mqtt_password -t $mqtt_topic -m "Multiple records in knowndevices.txt for Mac: $fing_mac IP: $fing_ip FingName: $fing_name"

        elif [ `cat $known | grep $fing_mac | wc -l` -eq "1" ]

        then

                knowndevice=($(cat $known | grep $fing_mac))

                if [ "${knowndevice[1]}" != "$fing_ip" ]

                then

                        echo "$dt - $fing_mac changed IP address from IP_OLD: ${knowndevice[1]} to IP_NEW: $fing_ip"

                        mosquitto_pub -h $mqtt_host -u $mqtt_user -P $mqtt_password -t $mqtt_topic -m "Mac: $fing_mac changed IP address from IP-OLD: ${knowndevice[1]} to IP-NEW: $fing_ip FingName: $fing_name DeviceName: ${knowndevice[2]}"

                fi

        fi

        IFS="

        "

done

knowndevices.txt:

34:e4:8b:72:96:f7;192.168.0.1;Ubee

34:e4:8b:72:97:f8;192.168.0.2;Device 1

In knowndevices file you have to put all your devices in format MAC_ADDR;IP_ADDR;FRENDLY_NAME. In my example you can see that I put my Ubee router mac: 34:e4:8b:72:96:f7 which is on IP 192.168.0.1 IP address and I put Ubee as Friendly name. Each device has to be in new row.

ignoreddevices.txt:

8c:30:75:36:9b:b5

In ignoreddevices file you have to put mac address of all devices which you don’t want to track. The above mac is just example.

I put network_tracker.sh script in cronjob. It will run it each xx:01 and xx:31. You have to use root cronjob or give Fing CLI root permissions.

1,31 * * * * path_to_scipt/network_tracker.sh >> path_to_logs/network_tracker.log

Home Assistant automation

I created automation which checks MQTT for network alerts and sends them to Telegram:

- alias: Network tracker

  description: ''

  id: 24b9f12c-b1b5-4899-b7f9-6078d6c8e775

  mode: single

  trigger:

  - platform: mqtt

    topic: networkTracker/alert

  condition: []

  action:

  - service: notify.telegrambotme

    data_template:

      message: '🚨 NETWORK ALERT! 🚨 {{ trigger.payload }}'

Telegram11078×356 86.8 KB

Telegram2940×279 58 KB

Github page:

Would like to test this on my todo list now for when I finally got spare time lol

Nice work deadly667.
Please note that now not only Fingbox but also Fing Desktop expose a Local API for integrations; that would allow you to achieve similar results w/o the overhead of setting up the CLI.
Local API is a premium feature but if you are interested to try and publish some home-assistant integration, we will gift you one.

Hello Carlo, are you really from Fing as your name implies? Are you guys considering an integration for Home Assistant? I am thinking about buying the box but it would be much nicer if it is fully integrated.
Thanks!
B

Yes it’s Carlo from Fing here.
We built Local API for both Fingbox and Fing Desktop and it’s generic, can be used for any integration.
We did not have time to built our own integration with home-assistant but we are hoping that some of you guys that know the internals of home-assistant can build it.
You can download Fing Desktop and try it out: Local API is among the Tools, it works in demo mode also w/o Fing premium.
We are of course going to gift Fing Premium to you guys if you want to build such integration.

Are both Fingbox and Fing Desktop having the same local API. So if we setup one it will work for other and vice versa?

Can you link me some documentation for Fing Local API?

Also, as far as I see Fing desktop is only windows/mac app? There is no Linux version.

Yes they are exactly the same, so mapping it once would work everywhere.
Documentation at: https://app.swaggerhub.com/apis/fingltd/localapi/1.0.0
Also you can quickly try it from fing desktop page like e.g.:

Screenshot 2020-12-27 at 13.35.312188×1034 183 KB

Is there a Linux version of Fing Desktop?

Not yet available.

Hi!

So it is fairly simple as all you need in python is:

import requests
r = requests.get(‘http://192.168.1.111:49090/1/devices?auth=1XXXXXXXXA’)
r.json()

and you have a JSON representation of the devices on the network, that looks like this:

‘devices’: [{
‘mac’: ‘B0:39:56:E9:XX:XX’,
‘ip’: [‘192.168.1.1’],
‘state’: ‘UP’,
‘name’: ‘DD-WRT’,
‘type’: ‘WIFI’,
‘make’: ‘Netgear’,
‘model’: ‘Nighthawk XXXXXXXXXXXX Router’,
‘first_seen’: ‘2020-10-04T17:44:45.933Z’
},

Fairly straightforward.

How I could image an integration is the following:

1. optionally create a Fing CLI based Hass.IO add-on as a low tech alternative to the Fingbox
2. create an integration that queries the Fing local API for the network nodes, store them in a database with their “trust status” as per the original script of @deadly667
3. fire an event if a new device is joining by changing the state of an entity
4. maybe create a Lovelace custom card to show the online nodes on the network

This would be a super sophisticated presence detection implementation. And don’t get me wrong I would love this as currently I have over 15 ping based entities set up to show my devices with fixed IP that I am expecting to be online always:

image477×581 24 KB

• platform: ping
  host: 192.168.1.14
  name: Amazon Echo Show
  count: 2
  scan_interval: 30

If I understand correctly the value proposition of the Fingbox this would give us a network map and show if there are any new devices joining but it would stil not provide the full functionality of the box as the port scanning, automatic blocking of intruders, scheduled downtime and bandwidth monitoring is not available. (internet speed is already available as an integrated speedtest.net solution). Do I get it right @CarloFromFing?

BTW you are listing Home Assistant support as coming soon Could you elaborate on that?

Thanks!
B

So if we create an integration for you then you get to charge every HA user a “premium” fee to get access to the API that the integration requires? Sounds like a pass.

Why would your users pay a fee to access data that you’ve collected about their private network and locked away behind your “premium” fee? Doesn’t all the marketing data your going to sell to smart home product companies generate enough cash?

You can ditch Fing and just run arp -an on almost any Linux-based system (including BSD/Mac variants) and add some scripting to do the rest.

I like OP’s idea though.

@mstovenour that does seem to be the response from a lot of the Fing community, if you look on their forum (and the number of threads saying so that have been locked).

Ironically one of the main things that brought me to HA was their action, as I’m going through and replacing most of the functionality of my Fingbox with HA automations and scripts as I too disagree with paying for such an API functionality.

So far most of it has been successful in combination with the (free) API on my Fritz!Box and some excellent HA stuff found here. It’s sad to see what was once a great app like Fing being taken over and monetised by venture capital and suchlike, and everything going from community to profit.

Fing doesn’t work for a minute.
my raspbery’s have wifi and ethernet,
wifi has the mac address B8: 27: EB: FE: 12: 5C with a static DHCP address 192.168.2.14

Ethernet has the mac address b8: 27: eb: ab: 47: 09 and has a static ip address 192.168.2.13

now everytime it gets the message:
NETWORK ALERT! Mac: B8: 27: EB: AB: 47: 09 changed IP address from IP-OLD: 192.168.2.13 to IP-NEW: 192.168.2.14 FingName: Raspberry Pi DeviceName: pi.xxxx.xxx

I also get, for example, these kinds of messages:
NETWORK ALERT! New Mac: IP: 192.168.1.1 FingName:
that is from a pc with an ethernet static ip address which is in my knownhost file, no chance that the mac address will change.
and I also get such notifications from other PCs in my network.
In short, fing does not work for a meter, unfortunately

On my Raspberry I only use Wifi but if you still need to have both (you can always use just Ethernet and disconnect Raspberry from Wifi) it shloud still works. I think that problem should be in knowndevices.txt file.

Yours should look like:

b8:27:eb:fe:12:5c;192.168.2.14;pi.xxxx.xxx (wifi)
b8:27:eb:ab:47:09;192.168.2.13;pi.xxxx.xxx (ethernet)

Script just takes mac address and looks in knowndevices.txt file for that mac and if its there than check ip after first ;. In this case you dont have problem with Fing. Only if Fing mixes macs and ips for your raspberry…

The last case when Mac: is empty is really strange. That means that Fing couldnt get Mac address for your device on 192.168.1.1. Also its really unusual that you have network 192.168. 2.x and also 192.168.1.x. do you have two separate networks?

You can test Fing manually:
sudo fing -n 192.168.2.0/24 -r 1 -o table,csv

this will check your 192.168.2.0/24 network and then you can check if all results are as expected.

Regarding your network, did you put correct network in net variable in network_tracker.sh script?

For your network it should be:
net=192.168.2.0/24

I have a netmask / 22 which is 192.168.0.0 to 192.168.3.254 255.255.252.0
I have a lot of network devices and 1 subnet is not enough.
Most of it is static ethernet but I still have some wifi too.
in case of my pi, i have now turned off wifi temporarily and that helps but it remains strange that they are 2 different mac addresses and what you say, fing looks at mac addresses and they are 2 different so that is not correct.

I now also got the messages again:
NETWORK ALERT! New Mac: IP: 192.168.2.46 FingName:
and
NETWORK ALERT! New Mac: IP: 192.168.1.16 FingName:

both are static ethernet devices listed in the knowndevices.txt

hm I dont have that problem at all (running it for 6 months now). This sounds like Generic Device problem with Fing. https://community.fing.com/discussion/4605/generic-device-with-no-mac-address

Can you check if Fing sometimes detects that mac address and sometimes not or its always empty?

I will think about how to include that case into script.

in case of 192.168.1.1, fing can find the vendor:

6:12:38 PM> Host is up: 192.168.1.1
HW Address: 4C: CC: 6A: FB: 42: E5 (Micro-Star INTL)
Hostname: donald.xxx.xxx

in the cases 192.168.1.16 and 192.168.2.46 not

6:13:23 PM> Host is up: 192.168.2.46
HW Address: B4: E6: 2D: 69: 94: 54
Hostname: nichtlight.xxx.xxx

in the case of 192.168.1.16 something else is strange

18:13:19> Host changed: 192.168.1.16
HW Address: 80: 5E: 4F: 87: C2: A5
Hostname: cam-eetkamer.xxx.xxx
Updated host: 192.168.1.16
HW Address: 4C: B0: 08: EF: AD: 13
Hostname: cam-eetkamer.xxx.xxx
I get 2 mac addresses back while this is an ip camera with only ethernet. at the 2nd and 3rd scan I only got:

18:42:43> Host is up: 192.168.1.16
HW Address: 4C: B0: 08: EF: AD: 13
Hostname: cam-eetkamer.xxx.xxx

whatever the correct mac address is for the camera

very strange

Regarding vendors, it’s okey if it don’t find it sometimes. I have also a few devices which dont have Vendor and that’s why I added that friendly name so that I know which device is behind some mac address.

Hm in your case I will add both mac address for the same device.

I don’t think that Fing tool is the best one. For me was good enough because I didn’t have any
deal breaker problems.

I’m unfortunately going to remove it again.
it doesn’t work for me. now I get the following message again:

magnetics, [01/08/21 09:04]
NETWORK ALERT! Mac: 4C: CC: 6A: FB: 42: E5 changed IP address from IP-OLD: 192.168.1.1 to IP-NEW: 192.168.3.253 FingName: Micro-Star INTL DeviceName: donald.are-eigen.net

This is a static ethernet connection and when I ping to 192.168.1.1 I also get a response and I do a ping to 192.168.3.253 I get no response. it is therefore not correct what fing passes on.

This message also came in, also a static ip address:
magnetics, [01/08/21 11:33]
NETWORK ALERT! New Mac: IP: 192.168.2.50 FingName:

And this message is even stranger:
magnetics, [01/08/21 11:33]
NETWORK ALERT! New Mac: IP: g FingName:

I am a bit disturbed by all those notifications that I keep getting without there really being anything.
Too bad because I thought it was a very nice solution, but it must work well.