search

jokob-sk / NetAlertX

🖧🔍 WIFI / LAN intruder detector. Scans for devices connected to your network and alerts you if new and unknown devices are found.
GNU General Public License v3.0
2.84k stars 163 forks source link

Not all vLANs appear to be getting scanned. #192

Closed TheCableGuy99 closed 1 year ago

TheCableGuy99 commented 1 year ago

Describe the issue Not all vLANs appear be getting scanned. I have many and it's working on some but others nothing it showing up.

Paste last few lines from pialert.log


[2023-03-09 02:02:38] Last action: internet_IP
[2023-03-09 02:02:38] Process: Wait
[2023-03-09 02:03:38] Process: Start
[2023-03-09 02:03:38] Scan Devices:
    arp-scan start
  Processing scan results
    Devices Detected.......: 41
        arp-scan detected..: 39
        Pi-hole detected...: +0
        New Devices........: 0
    Devices in this cycle..: 41
        Down Alerts........: 0
        New Down Alerts....: 0
        New Connections....: 0
        Disconnections.....: 0
        IP Changes.........: 0
  Updating DB Info
    Sessions Events (connect / discconnect)
    Creating new devices
    Updating Devices Info
        Trying to resolve devices without name
          Pholus entries from prev scans: 78
        Names Found (DiG/Pholus): 0 (0/0)
        Names Not Found         : 30
    Voiding false (ghost) disconnections
    Pairing session events (connection / disconnection) 
    Creating sessions snapshot
    Inserting scan results into Online_History
    Skipping repeated notifications
  Check if something to report
    No changes to report
    Notifications: 0
[2023-03-09 02:05:35] Last action: network_scan
[2023-03-09 02:05:36] Process: Wait
[2023-03-09 02:05:41] Process: Start
[2023-03-09 02:05:41] Check Internet IP:
    Retrieving Internet IP:
      81.150.xxx.xxx
    Retrieving previous IP:
      81.150.xxx.xxx
    No changes to perform
    Skipping Dynamic DNS update
  Check if something to report
    No changes to report
    Notifications: 0
[2023-03-09 02:05:41] Last action: internet_IP
[2023-03-09 02:05:41] Process: Wait
[2023-03-09 02:06:41] Process: Start
[2023-03-09 02:06:41] Process: Wait
[2023-03-09 02:07:41] Process: Start
[2023-03-09 02:07:41] Process: Wait
[2023-03-09 02:08:41] Process: Start
[2023-03-09 02:08:41] Check Internet IP:


# General
#---------------------------
ENABLE_ARPSCAN=True
SCAN_SUBNETS=['192.168.1.0/24 --interface=ovs_bond0','192.168.5.0/24 --vlan=5 --interface=ovs_bond0','192.168.10.0/24 --vlan=10 --interface=ovs_bond0','192.168.15.0/24 --vlan=15 --interface=ovs_bond0','192.168.20.0/24 --vlan=20 --interface=ovs_bond0','192.168.25.0/24 --vlan=25 --interface=ovs_bond0','192.168.30.0/24 --vlan=30 --interface=ovs_bond0','192.168.35.0/24 --vlan=35 --interface=ovs_bond0','192.168.50.0/24 --vlan=50 --interface=ovs_bond0','192.168.200.0/24 --vlan=200 --interface=ovs_bond0']
PRINT_LOG=False
TIMEZONE='Europe/London'
PIALERT_WEB_PROTECTION=False
PIALERT_WEB_PASSWORD='8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'
INCLUDED_SECTIONS=['internet','new_devices','down_devices','events']
SCAN_CYCLE_MINUTES=5
DAYS_TO_KEEP_EVENTS=90
REPORT_DASHBOARD_URL='http://pi.alert/'
DIG_GET_IP_ARG='-4 myip.opendns.com @resolver1.opendns.com'
UI_LANG='English'

# Email
#---------------------------
REPORT_MAIL=False
SMTP_SERVER='smtp.gmail.com'
SMTP_PORT=587
REPORT_TO='user@gmail.com'
REPORT_FROM='Pi.Alert <user@gmail.com>'
SMTP_SKIP_LOGIN=False
SMTP_USER='user@gmail.com'
SMTP_PASS='password'
SMTP_SKIP_TLS=False
SMTP_FORCE_SSL=False

# Webhooks
#---------------------------
REPORT_WEBHOOK=False
WEBHOOK_URL='http://n8n.local:5555/webhook-test/aaaaaaaa-aaaa-aaaa-aaaaa-aaaaaaaaaaaa'
WEBHOOK_PAYLOAD='json'
WEBHOOK_REQUEST_METHOD='GET'

# Apprise
#---------------------------
REPORT_APPRISE=False
APPRISE_HOST='http://localhost:8000/notify'
APPRISE_URL='mailto://smtp-relay.sendinblue.com:587?from=user@gmail.com&name=apprise&user=user@gmail.com&pass=password&to=user@gmail.com'
APPRISE_PAYLOAD='html'

# NTFY
#---------------------------
REPORT_NTFY=False
NTFY_HOST='https://ntfy.sh'
NTFY_TOPIC='replace_my_secure_topicname_91h889f28'
NTFY_USER='user'
NTFY_PASSWORD='passw0rd'

# PUSHSAFER
#---------------------------
REPORT_PUSHSAFER=False
PUSHSAFER_TOKEN='ApiKey'

# MQTT
#---------------------------
REPORT_MQTT=False
MQTT_BROKER='192.168.1.2'
MQTT_PORT=1883
MQTT_USER='mqtt'
MQTT_PASSWORD='passw0rd'
MQTT_QOS=0
MQTT_DELAY_SEC=2

# DynDNS
#---------------------------
DDNS_ACTIVE=False
DDNS_DOMAIN='your_domain.freeddns.org'
DDNS_USER='dynu_user'
DDNS_PASSWORD='A0000000B0000000C0000000D0000000'
DDNS_UPDATE_URL='https://api.dynu.com/nic/update?'

# PiHole
#---------------------------
PIHOLE_ACTIVE=False
DHCP_ACTIVE=False

# Pholus
#---------------------------
PHOLUS_ACTIVE=True
PHOLUS_TIMEOUT=120
PHOLUS_FORCE=False
PHOLUS_RUN='once'
PHOLUS_RUN_TIMEOUT=600
PHOLUS_RUN_SCHD='0 4 * * *'
PHOLUS_DAYS_DATA=7

# Nmap
#---------------------------
NMAP_ACTIVE=True
NMAP_TIMEOUT=150
NMAP_RUN='schedule'
NMAP_RUN_SCHD='0 2 * * *'
NMAP_ARGS='-p -10000'

# API
#---------------------------
ENABLE_API=False
API_RUN='schedule'
API_RUN_SCHD='*/3 * * * *'
API_RUN_INTERVAL=10
API_CUSTOM_SQL='SELECT * FROM Devices WHERE dev_PresentLastScan = 0'

#-------------------IMPORTANT INFO-------------------#
#   This file is ingested by a python script, so if  #
#        modified it needs to use python syntax      #
#-------------------IMPORTANT INFO-------------------#

Paste your docker-compose.yml and .env (remove personal info)

docker-compose.yml 


docker run -d --rm --network=host \
  -v /volume1/docker/pialert/config:/home/pi/pialert/config \
  -v /volume1/docker/pialert/db:/home/pi/pialert/db \
  -v /volume1/docker/pialert/logs:/home/pi/pialert/front/log \
  -e TZ=Europe/London \
  -e PORT=20211 \
  jokobsk/pi.alert:latest

.env 


Not sure where to find the .env file? I used task scheduler in Synology NAS to create the Docker container.

Screenshots If applicable, add screenshots to help explain your problem.

jokob-sk commented 1 year ago

Thanks for the detailed description!

I don't see any obvious misconfiguration. I'm not an expert in more advanced network setups, but I'll try to help.

1) Do the vlans that are not scanned correctly have something in common? 2) Can you try disabling Pholus / NMAP scans to see if that makes a difference? 3) Can you try to increase the time between scans by increasing SCAN_CYCLE_MINUTES? 4) Did you check if decreasing the number of vlans makes a difference? 5) Can you check if the vlans causing issues are similarly configured as described here?

TheCableGuy99 commented 1 year ago

Hi Jokob-sk.

I went through the list and still couldn't get it working and I just got a reply email from a company that does network monitoring software offering me a deal, so i'm going to go with them on this occasion because although it costs, it just works and makes my life easier.

Thanks for the help though.

jokob-sk commented 1 year ago

👍 Thanks for the update

jzawacki commented 1 year ago

I've found the best (and most reliable) method has been to create network interfaces on the docker host and create individual dockers for each VLAN. This allows us to easily keep track of new devices and what VLAN they were found on. It also allows to customize the SMTP alerts to the VLAN.