How to detect an iPhone connecting a network?

Question

I've noticed through watching Wireshark that when an iPhone connects to a wifi network, it sends out a few IGMP/MDNS packets to 224.0.0.251 (LAN broadcast, I think). Is there any easy way to watch for these packets and then either run a script or send an event?

Or, is the best way to just run a packet sniffer? Any simple ones that can send events or execute curl commands when a filter is triggered?

When I run nc -u -l 5353 I get:

My-Name-iPhonelocal???
                            x???)??
                                  ??cc^C

Can I do something like: nc -u -l 5353 | grep iPhonelocal | execute command...

Answer 1

This behaviour is not related to iPhone exclusively. According to RFC 3171, the IP 224.0.0.251 is used for Multicast DNS. The Multicast DNS feature of Bonjour technology allows devices on a local network to connect to each other by name without a separate DNS server.

If you want to detect particular devices on your network, you should use nmap and remote OS detection (OS-Fingerprinting) but that's not 100% accurate.

Answer 2

From your comment:

I'm basically trying to run a script as soon as my iPhone comes within range of my home network to turn a light on. Any ideas? Someone else had suggested using sed.

This sounds like a fun project!

You could do this by polling every 1 or 2 seconds with a ping. It's a bit of a kludge, but the pings will cause negligible overhead.

1. Configure your DHCP server to always hand out the same IP to your iPhone (based on its MAC address)

2. Run a script on your linux computer that attempts to ping that IP every n seconds.

3. Turn your lights on/off based on some simple ping-response criteria

If you had a monitoring application like Zabbix, you could do this really easily. You would set up a ping test for your iPhone, and create a trigger that runs an external script (to turn the light on/off). Zabbix is overkill if this is all you're using it for, but you could come up with some other uses as well, I'm sure. :)

Also, in your script/trigger logic, you should make an attempt to avoid flicker. The light should be switched on as soon as 1 ping gets a response. It should only turn off after pings have gone unresponded for a full 5 minutes. That way, your lights won't be flickering on and off when you have network congestion.

Answer 3

Hehe, OK, I'll bite. Consider doing something like this (I'm being vague, as you'll have to tailor this to the tools you have available):

1. get your iPhone's MAC address
2. run a dhcpd daemon on your *nix box
3. ensure that said server is logging
4. write a [shell / perl / ruby / python] script to monitor that log file and take action on finding a line that matches that MAC address

Off hand, this sounds like an easier approach than attempting to interact with a sniffer in real time (however, maybe snort could be configured to do something like this).

I am, of course, making an assumption that the iPhone will attempt to renew its lease upon every connect.

Best of luck!

Answer 4

A while back I noticed that my firewall kept dropping packets like this, and logging the drops to kern.log. Your post inspired me to whip up a little script to notify me when a certain iPhone connected to my wifi.

#!/bin/bash

if [ "$1" != "ehlo" ]; then
    # If the script is ran, restart with the correct stdin
    tail -Fn 0 /var/log/kern.log | $(readlink -f $0) "ehlo"
    exit 0
fi

lasttime=0

while [ true ]; do
    read derp
    if [ $(echo "$derp" | fgrep -c "0m:ac:ad:dr:es:s0") -gt 0 ];then
        if [ $(($(date +%s)-$lasttime)) -ge 30 ];then
            lasttime=$(date +%s)
            # Pop up an ubuntu notification (requires libnotify-bin)
            notify-send "kern.log" "iPhone has appeared"
        fi
    fi
done

Answer 5

http://www.zeroflux.org/projects/knock

You might be able to setup knockd in someway to respond to the broadcast traffic.

I use port-knocking to protect SSH on some servers. I am sure what you are trying to do isn't covered in any of the examples, but it might be possible.