1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Script: arpwatch.sh need some help

Discussion in 'Tomato Firmware' started by philess, Apr 23, 2013.

  1. philess

    philess Networkin' Nut Member

    Hello guys,

    i am trying to make a actually simple script that basically gives the same
    basic functionality as 'arpwatch' does. Unfortunately i couldnt find a source
    or binary anywhere that could run on Tomato. Only a Optware package but
    i am usually running Entware and try to avoid switching just for this.

    What i want to do is run this by scheduler (eg. every 5 minutes) and
    check the current ARP table (arp -a) either for all networks or just
    the guest wlan network (arp -a | grep " on br1"). Now i want to look up
    if these MACs are either new to the network or old visitors, write them
    to a logfile with date and time. If at the next check the MAC is gone,
    it has disconnected and i want to write another entry to the log.

    The purpose of this is i want to use it for a client who runs a small hotel
    and wants to provide free (not public) Wifi for the guests. Now for legal
    reasons we want to log all MAC adresses with timestamps with the
    duration when they connect. That case he has a good/decent chance
    IF some legal matters should occur and he has to find out who was
    using the Wifi at date XY. Sure i know that is not 100% but its atleast
    something to go on then (so he can lookup who the guests were at that
    date, have their MACs and then get in contact with them about it).
    Also its a small hotel so chances are that there is probably only 0-2
    clients active at any time.

    Ok long story short: I have the basic idea lined out in my head
    and started on the script a bit but somehow i am stuck right now,
    also it doesnt help that i am a total bash script noob and have to
    google every tiny bit of this and make it work by trial and error.
    Right now the errors are clearly winning.

    Btw writing the log to a SQL db sure would be awesome later on for
    searching but as said, its a small network and its not necessary i guess.
    Unless other people would want to use this too then i sure would
    install a sqlite or w/e on the router and live with it. Now i have chosen
    to write it to a CSV style file which should be easy to retrieve stuff later from.

    I am sure that instead of reading a textfile and then looping through all
    lines this can be done easier and quicker with arrays, i guess, but as said
    i am a noob and somehow cant think straight on this thing anymore.

    Could someone help me in some parts of this or has some idea how
    to make it simpler or a better approach to it?
    Any input is much appreciated!


    Code:
    #!/bin/sh
     
    rm -rf newlastmacs
    touch newlastmacs
     
    # need to define $current_daily_log
    # rotate every day, move old logs to subfolder
     
     
    if [ "`arp -a | grep ' on br0' | cut -d' ' -f4 | tr -d ':'`" != "" ]; then
     
        echo Found active clients.
     
        # write all current macs to file
        arp -a | grep " on br0" | cut -d' ' -f4 | tr -d ':' > /opt/tomato/logmacs/current
     
        currentmacs=`cat /opt/tomato/logmacs/current`
       
        for i in $currentmacs
        do
            # for every current MAC do:
            echo $i Checking
           
            if [ -f /opt/tomato/logmacs/$i ]; then
           
                    #
                    # OLD MAC (has a log)
                    #
                    echo $i has a log
                                               
                           
                            # if MAC is in lastmacs = still active since last check
                                # no update needed
                           
                            # if MAC is NOT in lastmacs = MAC is returning
                                # write CONNECT with timestamp to file
                                echo "CONNECT,"`date +%d.%m.%Y-%T`","`date +%s` > /opt/tomato/logmacs/$i
                                #
                                # additionaly, append MAC to a daily logfile
                                # (if later on searching for a MAC with given date)
                                # echo $i >> $current_daily_log
                   
                   
            # end of loop for MAC with log
            else
                   
                   
                    #
                    # NEW MAC (no log yet)
                    #
                    echo $i is new
                   
                    # create logfile for new MAC
                    #
                    # maybe get current IP and HOSTNAME and write to log too?
                    #
                    # and write CONNECT|date to it
                    echo "CONNECT,"`date +%d.%m.%Y-%T`","`date +%s` > /opt/tomato/logmacs/$i
                    #
                    # additionaly, append MAC to a daily logfile
                    # (if later on searching for a MAC with given date)
                    # echo $i >> $current_daily_log
                   
                   
            # end of loop for MAC without log
            fi
           
           
           
        # end of processing currentmacs
        done
     
       
        # check if lastmacs has content
       
                    # lastmacs has content, then compare against currentmacs
           
                                # MAC is not in currentmacs but in lastmacs = has now disconnected
                                    #
                                    #
                                    # read last line from logfile (must be CONNECT)
                                    # connect_stamp = only third ,data, part (=seconds)
                                    #
                                    # disconnect_stamp = date +%s (=seconds)
                                    #
                                    # duration = difference between connect and disconnect in human readable
                                    #
                                    # write DISCONNECT with current second-timestamp and duration to logfile
                                    #
                                    # echo "DISCONNECT,"`date +%d.%m.%Y-%T`","`date +%s`","$duration" >> /opt/tomato/logmacs/$i
                               
                                # MAC is both files = still connected
                                        # append MAC to newlastmacs
                   
                    # end of compare macs
       
        # end of lastmac content
       
        # if lastmac has NO content, but we have current clients
        # = everyone is new, already taken care of above
       
        # replace lastmacs with newlastmacs (=every MAC that is still active)
        # rm -rf lastmacs
        # mv newlastmacs lastmacs
        #
       
       
       
    # end of case if there are active clients   
       
    else
     
        #
        # No MACs are currently active and known
        #
        #
        echo No active clients found.
       
                # check if lastmacs exists AND has content = everyone has disconnected
               
                        # for every mac in lastmacs, write to logfile
                                    #
                                    # read last line from logfile (must be CONNECT)
                                    # connect_stamp = only third ,data, part (=seconds)
                                    #
                                    # disconnect_stamp = date +%s (=seconds)
                                    #
                                    # duration = difference between connect and disconnect in human readable
                                    #
                                    # write DISCONNECT with current second-timestamp and duration to logfile
                                    #
                                    # echo "DISCONNECT,"`date +%d.%m.%Y-%T`","`date +%s`","$duration" >> /opt/tomato/logmacs/$i
                       
                        # then delete lastmacs
                        # create empty lastmacs
               
           
                # lastmacs is empty = no new disconnects
                        # nothing to do
       
       
     
     
     
        # end of case if there are no clients
     
    fi
     
  2. ryzhov_al

    ryzhov_al Networkin' Nut Member

    Hi, philess!
    Feel free to ask a new packages. Arpwatch has been added, please, provide a feedback.

    Don't forget to check listening interface at /opt/etc/init.d/S04arpwatch.

    Regards, Alexander Ryzhov.
     
    philess likes this.
  3. philess

    philess Networkin' Nut Member

    Amazing!! Thank you so much! I will play around with it the next few days, seems to be working fine so far :)
     
  4. Victek

    Victek Network Guru Member

    Why you don't use Tomato RAF with Captive Portal and look the var/log/acces.log created by Nocat.. you have MAC and timestamp .. then you can transfer to any PC by log register ... ?
     
    philess likes this.
  5. philess

    philess Networkin' Nut Member

    Oh nice! I didnt know NoCat did such a log. Gotta look for it now. Thanks Vic!

    Btw, the NoCat in R1.1 and R1.1f did not seem stable to me. Even with a fresh flash
    and nothing except WAN (DHCP) configured, as soon as i connected to the NoCat and
    tapped on I AGREE, only very few websites worked randomly and the router rebooted
    within <5 minutes after connect. But syslog didnt show anything about. Weird.
    Will try again the next few days.
     
  6. Victek

    Victek Network Guru Member

    Sorry philes, which router model do you have? In any case... we are finishing Nodog (a more stable Captive Portal) and the reboot issues was caused by iptables 'sorting' when other mods have been created in Tomato. As I said to Elfew iptables starts to be a problem in Tomato....
     
  7. philess

    philess Networkin' Nut Member

    Tests the last few days for NoCat were on a RT-N16 and E4200v1.
    Yeah i had a feeling it was related to iptables. But i dont think i
    can fix it myself. I think for now the person who will receive the
    RT-N16 has to live without NoCat/Dog/Mouse, for now. But
    everything else works flawlessly. Very happy with all your builds,
    and no need even try any others hehe.
     
  8. philess

    philess Networkin' Nut Member

    Unfortunately it seems that the version in Entware now does not support the -s parameter to execute
    a script on events like new MAC discovered etc, so it doesnt help me in this case. Back to doing it myself somehow.
     
  9. Elfew

    Elfew Addicted to LI Member

    Iptables is nightmare in Tomato... I hope that Victek or others developers could fix this problem and sort it out.
     

Share This Page