[SOLVED] Identifying MAC addresses from ARP packets with tcpdump + live pop-up notification
Hi everyone,
Just wanted to follow up and share how I ended up solving my problem — maybe this helps someone else trying to build something similar.
My goal was to detect connected devices via their MAC addresses on a local Ethernet connection (1:1 or LAN) using tcpdump, and display a notification on-screen every time a new device appears.
🛠 Here's how I did it:
Using tcpdump to monitor MACs
I used sudo tcpdump -i eth0 -e -nn -l to capture raw Ethernet frames. The -e flag includes MAC addresses in the output, and -l makes it line-buffered so I can pipe it.
Extracting MACs with grep + Bash
I wrote a Bash script that continuously extracts MAC addresses using:
grep -Eo '([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}'
Then I filtered out multicast and broadcast traffic (like ff:ff:ff:ff:ff:ff, 01:00:5e:*, 33:33:*) and used a seen-list per hour to avoid duplicates.
Logging MACs + Avoiding duplicates
The script logs each new MAC once per hour into a file and avoids re-logging already seen devices. I also added a manual blacklist (stored in a text file) to permanently ignore known MACs.
Displaying a desktop pop-up with Zenity
When a new MAC is detected, a second script gets triggered which shows a Zenity pop-up on the desktop (full screen, with big text), like this:
zenity --info \
--title="![📡]()
New MAC Detected" \
--text="MAC Address:\nAA:BB:CC:DD:EE:FF\nTime: 15:45" \
--width=1920 --height=1080 --timeout=10
Since Zenity needs to run in the GUI context, I had to call it like this:
sudo -u pi DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus bash /home/pi/mac_popup.sh "MAC"
Troubleshooting DISPLAY/DBUS:
The hardest part was getting the pop-up to show automatically from the script. In the end, I had to export the right DISPLAY and DBUS environment values from within the script to make Zenity work under the logged-in user's GUI session.
Bonus: Fullscreen & Logging
I added logging to both scripts so I could see if the popup was called but failed silently. I also used xdpyinfo to dynamically set the popup to full screen based on screen resolution.
Hi everyone,
Just wanted to follow up and share how I ended up solving my problem — maybe this helps someone else trying to build something similar.
My goal was to detect connected devices via their MAC addresses on a local Ethernet connection (1:1 or LAN) using tcpdump, and display a notification on-screen every time a new device appears.
🛠 Here's how I did it:
Using tcpdump to monitor MACs
I used sudo tcpdump -i eth0 -e -nn -l to capture raw Ethernet frames. The -e flag includes MAC addresses in the output, and -l makes it line-buffered so I can pipe it.
Extracting MACs with grep + Bash
I wrote a Bash script that continuously extracts MAC addresses using:
grep -Eo '([0-9a-fA-F]{2}:){5}[0-9a-fA-F]{2}'
Then I filtered out multicast and broadcast traffic (like ff:ff:ff:ff:ff:ff, 01:00:5e:*, 33:33:*) and used a seen-list per hour to avoid duplicates.
Logging MACs + Avoiding duplicates
The script logs each new MAC once per hour into a file and avoids re-logging already seen devices. I also added a manual blacklist (stored in a text file) to permanently ignore known MACs.
Displaying a desktop pop-up with Zenity
When a new MAC is detected, a second script gets triggered which shows a Zenity pop-up on the desktop (full screen, with big text), like this:
zenity --info \
--title="
New MAC Detected" \--text="MAC Address:\nAA:BB:CC:DD:EE:FF\nTime: 15:45" \
--width=1920 --height=1080 --timeout=10
Since Zenity needs to run in the GUI context, I had to call it like this:
sudo -u pi DISPLAY=:0 DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus bash /home/pi/mac_popup.sh "MAC"
Troubleshooting DISPLAY/DBUS:
The hardest part was getting the pop-up to show automatically from the script. In the end, I had to export the right DISPLAY and DBUS environment values from within the script to make Zenity work under the logged-in user's GUI session.
Bonus: Fullscreen & Logging
I added logging to both scripts so I could see if the popup was called but failed silently. I also used xdpyinfo to dynamically set the popup to full screen based on screen resolution.
Statistics: Posted by SIRPSODA — Fri Jun 27, 2025 9:29 am