A command line tool to detect new unknown device in your network using ARP protocol
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.gitignore
LICENSE
README.md
arp_scan.txt
ieee-iab.txt
ieee-oui.txt
net_guard.sh
new_found.txt
p_new_found.txt
p_whitelist.txt
settings.cnf
whitelist.txt

README.md

Net Guard

A command line tool to detect possible malicious activity in your network using ARP protocol. Maybe someone is hacking in your network! Alerts are sent via email.

Features

  • Detection of unknown devices
  • Detection of devices in promiscuous mode (approach taken from here)

Install

Mac

On Mac, install arp-scan:

brew install arp-scan

Configure mail on terminal, here's a tutorial on Gmail

Other Platforms:

TODO. PRs are welcome :)

Configure

Edit settings.cnf to set ALERT_EMAIL_ADD.

Add the Mac addresses of devices you know to whitelist.txt. You can list current connected devices using:

arp-scan --interface=<xx> --localnet

Newly found devices are recorded at new_found.txt, and are only reported once.

Both whitelist.txt and new_found.txt can be edited to include comments, such as:

00:11:22:33:44:55 # My iPhone

There are two equivalent lists for promiscuous mode devices (p_whitelist.txt and p_new_found.txt).

Usage

./net_guard.sh <interface>

E.g.: ./net_guard.sh en0

To list all network interfaces:

ifconfig