I do a periodic network scan and I save that to a file, a file-based Node-RED global variable as well as publish to MQTT.
The data can be enriched with some additional information which I do via a uibuilder page that shows it as a table with some editable fields. So I can add real names and descriptions to the raw MAC and IP addresses, last seen, etc.
It would be easy enough to use something like this to monitor and alert on unknown devices coming onto the network.
I used to use the ARP scan/ping but switched to NMAP because it seems to be a lot more reliable. You have to run it as sudo though, I add it to the sudo crontab and it runs every 15 minutes.
Here is the script:
#! /usr/bin/env bash
# Fast scan the local network for live devices and record
# to /tmp/nmap.xml which can be used in Node-RED
# To run manually:
# sudo /home/home/nrmain/system/nmap_scan.sh
# To run via cron:
# sudo crontab -e
# 01,16,31,46 * * * * /home/home/nrmain/system/nmap_scan.sh
# Run the scan
nmap -sn --oX /tmp/nmap.xml --privileged -R --system-dns --webxml 192.168.1.0/24
# Make sure ownership & ACLs on the output are secure
chown root:home /tmp/nmap.xml
chmod --silent 640 /tmp/nmap.xml
# Trigger the Node-RED update
#curl --silent --output /dev/null 'http://localhost:1880/localnetscan' > /dev/null
#curl --insecure -I 'https://localhost:1880/localnetscan'
curl -I 'http://localhost:1880/localnetscan'