For most of us WEP encryption has become a joke. WPA is quickly going the same way thanks to many tools such as Aircrack-ng. On top of this, wired networks are no strangers to unwanted guests as well. Anyone serious about security should have a good Intrusion Detection system in their toolbox.
There are already some very good IDS’s (Intrusion Detection Systems) available. Why would anyone want to re-invent the wheel in Bash??? There are a couple of reasons for this. Obviously Bash scripts can be very light weight. Especially compared to some of the GUI programs that are out there. While programs like Etherape suck us in with pretty colors, they require constant monitoring to know when the network has changed. If you are like most of us, you only use the computer for two things, work and play. By using the system bell to alert for new clients online you can leave this script running and not have to have a constant watch. If you do decide you want to inspect what a suspicious client is doing more closely, you can always open up etherape, wireshark, or your tool of choice. But until you have a problem you can play or work on other things.
Another bonus to this program is that it will only show ip addresses on the networks connected to your computer. If you were hosting a busy server or perhaps downloading the latest Linux distro though a torrent client, an IDS may be flooded with connections. Looking for a new malicious client can be like looking for a needle in a hay stack. While this script may seem simple compared to other IDS’s, simplicity can have its perks too.
What you will need
Nmap is required for this script to work. We will not be doing any port scanning. However, to make this script fast we needed something better than a regular ping. Nmap’s -sP parameter will only use a ping scan to check if a clients up. There were some variations in how Nmap outputs information between versions. So far this script has only been tested using Nmap 5.00 (Debian Squeeze) and 5.21 (Debian Sid). You may have luck with other distros and versions of Nmap. However, with all the possibilities I could only support a couple at this time.