Passive DHCP

It would be hugely beneficial to enable DHCP in ‘listening’ mode only, so server can discover the names attached to MAC addresses in DHCPDISCOVER. It is known feature for some enterprise networking products called DHCP fingerprinting. As DHCPDISCOVER broadcast packet contains OS information as well. (Where another pie-chart for OSes could be later added)

This will save the folks with home routers that does not allow disabling DHCP, or simply don’t want to change their existing DHCP settings.

This request is the same as Passively Discover Hostnames through DHCP but it was closed long ago without clear explanation.

It was closed due to 6 months of inactivity.

Scroll that page down. After the last post you will see the reason:

image1049×234 10.9 KB

I fully aware of that!
I meant it was left without further comment, neither dropped nor planned.

Up!

Keep alive!

I think you need to submit this to the developer of DNSmasqd in order for FTLDNS to support it ?!

However…

IMHO you simply always need to have your own Router in order to benefit from Pi-Hole without having to jump through all kinds of hoops all the time

• OPNsense/OpenWRT/pfSense/DIY nftables + everything else in a random Linux distro/etc.
• A nice and simple DrayTek Router in case you are on a xDSL connection.

And if you are not on a Fiber or xDSL connection then ask your Cable ISP to put their Router in Bridged Mode and then add your own Router after theirs

WOW! What an unrelated answer!
Anyway, I’m by no means a programmer, however, AI gave me the following Python code, which needs an API key from FingerBank, the user should add the their own key to Pi-Hole.
It is relatively short, and I'm sure developers would optimize it. Give it a shot!
Note: Pi-Hole's vNIC must be in promiscuous mode.
Also, this function should be disabled if Pi-Hole DHCP server is active.

Good Article: https://www.yumpu.com/en/document/view/6050486

import requests
from scapy.all import sniff, DHCP, Ether

# Configuration

API_KEY = "YOUR_FINGERBANK_API_KEY"
API_URL = f"https://api.fingerbank.org{API_KEY}"

def get_fingerbank_info(fingerprint, vendor=None):
payload = {"dhcp_fingerprint": fingerprint}
if vendor:
payload["dhcp_vendor"] = vendor

try:
    response = requests.get(API_URL, params=payload)
    if response.status_code == 200:
        data = response.json()
        # The API returns a 'device' object with the best match
        device = data.get('device', {})
        return f"{device.get('name', 'Unknown Device')} (Score: {data.get('score', 0)})"
except Exception as e:
    return f"API Error: {e}"
return "No match found"

def handle_packet(packet):
if DHCP in packet:
options = packet[DHCP].options
# Extract Option 55 (Parameter Request List)
# It is typically a list of integers [1, 3, 6, ...]
fp_list = next((opt[1] for opt in options if opt[0] == 'param_req_list'), None)

    # Extract Option 60 (Vendor Class ID)
    vendor = next((opt[1].decode(errors='ignore') for opt in options if opt[0] == 'vendor_class_id'), None)

    if fp_list:
        # Convert list of ints to a comma-separated string for Fingerbank
        fingerprint = ",".join(map(str, fp_list))
        device_info = get_fingerbank_info(fingerprint, vendor)
        
        mac = packet[Ether].src

# Filter for UDP traffic on port 67 (Server) and 68 (Client)
sniff(filter="udp and (port 67 or 68)", prn=handle_packet, store=0)

It's definitely a 'nice to have feature' to see extra device info in Pi-hole, but keep in mind that Pi-hole is designed to be lightweight, often running on minimal hardware like a Pi Zero.

Constant packet sniffing with Scapy and making external API calls consumes significant CPU and RAM, defeating the 'low-overhead' purpose. On a small Pi, this level of background processing is practically impossible without affecting DNS performance.

If you try running Scapy on a Pi Zero, you'll see it hitting nearly 80% CPU usage just sitting there. Once you add packet filtering and analysis, the Pi will be too busy with device fingerprinting to handle DNS queries efficiently.

If you want more information about devices on your network you might want to take a look at netalertX

I admit this can take its toll on performance, but It can be disabled by default, with a little warning text about the performance penalty.
FingerBank may not be needed, as retrieving option 12 (hostname) would be sufficient.
Again developers will find numerous ways to optimize, starting by using pcapy instead of scapy, I doubt it would even hit 1% extra utilization on Pi Zero.

pcapy is a little bit better, but I just tried it on my spare Pi Zero: it still eats around 43% CPU just sitting there, filtering for Option 12.

In my opinion, it's still not worth the trouble just to get a hostname. Running a Pi-hole at nearly 50% base load just for passive sniffing will inevitably lead to DNS latency issues. For a 'lightweight' project, that’s a massive trade-off for very little gain.

Plus, you can get all this information with nearly overhead by simply using Pi-hole's built-in DHCP server. It captures Option 12 natively and stores it in the lease file without any sniffing required.

If you can't disable DHCP on your ISP's router, just adding a cheapo $20 switch to create your own sub-network gives you full control over your DHCP traffic. It’s a much more stable and professional way to handle your network than trying to 'sniff' data on a struggling Pi.