#!/bin/sh
#######################################################################
# The NETMON utility uses arp to monitor mac addresses on the network #
# and compares each against local text-based database to identify new #
# mac addresses. When a new mac address is identified, the utility    #
# sends a text message using the pfSense 'Notifications' feature.     #
#                                                                     #
# Save this file in '/var/netmon/netmon.sh                            #
# Create file '/var/netmon/ignores.txt' listing ip addresses that get #
#    new MAC addresses periodically to avoid false positive alerts    #
# ***IMPORTANT***                                                     #
# First run: from the command line execute:                           #
#    /var/netmon/netmon.sh init                                       #
#######################################################################

dir="/var/netmon"		# root directory storing the netmon utility
macdb="$dir/mac.db"		# file storing mac information in the format: <ip address> <mac address> - <date time identified>
report="$dir/netmon.report"	# report to send via pfSense 'Notifications' feature

# to initialize the database, run '/var/netmon/netmon.sh init' from the command line
if [ "$1" == "init" ]; then
        cat /dev/null > $macdb
fi

# the following performs the following
# 1. get current date/time
# 2. populate an array of mac addresses/ip addresses on the network using the arp command
# 3. traverse the array
# 4. if 'init', read the <mac> <ip> : <date/time> into the mac.db database file
# 5. if not 'init', check if mac/ip exists in mac.db
# 6. if mac/ip is new, populate the mac/ip info into a report to send in alert, and then populate mac.db with the info
# 7. if report is populated, send using the pfSense notification php utility

now=$(date +'%Y-%m-%d:%H:%M:%S')
rm -f $report
nsystems=$(/usr/sbin/arp -a | grep -v -f /var/netmon/ignores.txt | sed -r 's/.*\(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\) at ([0-9a-f]+:[0-9a-f]+:[0-9a-f]+:[0-9a-f]+:[0-9a-f]+:[0-9a-f]+).*/\1 \2/')
echo "$nsystems" | while IFS= read -r line; do
        if [ "$1" == "init" ]; then
                echo "$line : $now" >> $macdb
        else
                if [ $(grep -c "$line" $macdb) -eq 0 ] ; then
                        if [ ! -f "$report" ]; then
                                echo "New systems on network:" > $report
                        fi
                        echo " [$line] " >> $report
                        echo "$line - $now" >> $macdb
                fi
        fi
done

if [ -s "$report" ]; then
        $dir/send_report.php
fi