Search code examples
cnetwork-programmingesp8266arduino-esp8266

Discovering devices on the network

I've got an ESP8266 device, which I'm programming in Arduino/C++.

I'm interested if it's possible to somehow discover the devices which is on the same network as my ESP8266. On laptop I would simply just listen to the ARP broadcasts, but I don't know if it's possible with the ESP8266 SDK (or any other 'hacky' way).

Solution

  • If you are interested in low-level packets, you can indeed hook the in- and output functions of your network interface. It depends on how you want your device-discovering to be done. Should it be

    1. An active ping scan (nmap -sn 192.168.0.0/24)
    2. An active port scan (nmap -sS -p0-65000 192.168.0.0/24)
    3. A passive ARP scan
    4. Combination of all?

    I'll assume you'll go with a passive ARP scan technique.

    What I have already done inside the esp-open-rtos SDK project is to hook the input and output functions of the network interfaces (esp_interface.c, low_level_output() and ethernetif_input()). I also wrote a packet sniffer based on the data you get inside these functions (it writes out a .pcap file in flash). Since the entire lwIP stack is open-source inside esp-open-rtos, hooking into the IP stack (and especially the ARP packet functions, see lwip/src/netif/etharp.c!) is extremely easy and I would recommend using this SDK if you want to get results fast.

    For the properitary Espressif SDK, you can put your ESP into promiscious mode and give it a callback function (a wifi_promiscuous_rx_cb function) for all received packets. You can then analyze these packets as you wish. The important functions are wifi_promiscuous_enable(bool enable) and wifi_set_promiscuous_rx_cb(wifi_promiscuous_rx_cb). These are documented in the officical ESP-RTOS documentation at https://espressif.com/sites/default/files/documentation/20b-esp8266_rtos_sdk_api_reference_v1.4.0_0.pdf (page 72 and 73). However with this SDK you can't hook into its IP stack, so you really have to do packet-analysis up-front.

    Both of these things are hacky, but given the nature of "I want to listen to ARP broadcasts", there is no other way. The other ways may be active ping scanning, for which you'll have to use lwIP in esp-open-rtos or the other espconn functions in the properitary Espressif SDK.