Good post, but is pinging the broadcast address really "passive network surveillance"? My definition of "passive" involves never sending new network traffic.
Yes, this is definitely an active scan. However, hooking in to DHCP syslogs would still be passive. It's nice that the author provided an active alternative in cases where you might not have access to the DHCP logs.
This have the problem that most phone devices does not reply to ping; that's why software like fing[1] need to send an ARP to each ip in the network space; every client in the network is required to answer those.
There is code in there to pull the arp table and use that, but it's commented out because I never found a good way to determining how long things stay in the ARP cache. Since we don't know how long they stay in there, you will lose all of the "xxx left the network" notices, so we made that trade off.
It really kills me that something this small requires Redis. I don't want to have to install Redis on an rpi just so that it can monitor the network with a small script. Why not just use a Ruby-native data structure and store results in memory?
The reason that I used redis here is because I wanted it to work even if you scheduled the thing in cron, or have it work when you restarted the process and not give any false messages. Also, putting things in redis makes it easier to integrate it with something else, e.g. a UI, without really having to tool anything.
But yes, at this point it doesn't really need to use redis and if you don't already have a redis-server running it's a bit of unnecessary work to get the proof of concept working.
Just tried it out on our LAN. Had to modify options to ping to '-bc 4' (I'm on desktop Linux), still didn't work. The only host that responded was the gateway. We have Windows, Debian, Ubuntu and Arch Linux hosts on our network.
EDIT: Linux discards normal broadcast ICMP responses. Must switch off /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts. Even after doing so, no responses. I guess broadcast ping flood is a serious DoS concern that it's almost universally disabled.
Yes: you would need to change /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts on every Linux device on your network. Which has the nice effect that this "tracking" becomes opt-in :-).
Meanwhile, my employer uses a non-Microsoftly-inconvenient authentication to get onto their WiFi, so I've never bothered to attach the smart phone they assigned me to their WiFi, since I've got access to bigger screens for network activities when I'm there.
