DEV Community: Harshwardhan S. Ranvir The latest articles on DEV Community by Harshwardhan S. Ranvir (@harshwardhan_ranvir). https://dev.to/harshwardhan_ranvir https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3980920%2F5fd53aa7-778f-46ca-8c91-bcefb6e5b245.jpg DEV Community: Harshwardhan S. Ranvir https://dev.to/harshwardhan_ranvir en CERBERUS: I Built a Network Sentinel Because My Router Wasn't Enough Harshwardhan S. Ranvir Fri, 12 Jun 2026 10:31:32 +0000 https://dev.to/harshwardhan_ranvir/cerberus-i-built-a-network-sentinel-because-my-router-wasnt-enough-5bmg https://dev.to/harshwardhan_ranvir/cerberus-i-built-a-network-sentinel-because-my-router-wasnt-enough-5bmg <p><em>A deep dive into building a Python-based network surveillance tool with Scapy, automatic router detection, and a two-phase watch system.</em></p> <p>Most people never think about what's actually on their home network. The router has a device list somewhere behind three login screens and a UI that looks like it was designed in 2009. You check it once, forget about it, and move on.</p> <p>That's not good enough.</p> <p>I wanted to know my network — not by logging into the router every time, but through automation. A tool that runs, learns what's supposed to be there, and then tells me when something isn't. So I built CERBERUS.</p> <p>This post covers what it does, how every component works, the engineering decisions behind it, and what I actually learned building it — including the parts that were genuinely difficult.</p> <h2> What CERBERUS Does </h2> <p>CERBERUS is a Python-based network sentinel. It scans your local network using ARP, learns which devices are trusted, and runs a continuous surveillance loop that alerts you when something unknown shows up.</p> <p><strong>Feature list:</strong></p> <ul> <li>Automatic router and subnet detection (no manual config)</li> <li>ARP-based device discovery with wake-up broadcast</li> <li>Two-phase operation: Learning Mode → Surveillance Mode</li> <li>Unknown device alerts with CRITICAL log entries</li> <li>Structured file + console logging (reusable module)</li> <li>Auto-generated <code>known_devices.json</code> and <code>cerberus.log</code> </li> <li>Windows Npcap auto-installer</li> <li>Cross-platform: Linux, macOS, Windows</li> </ul> <p><strong>What it does NOT do (...yet):</strong></p> <ul> <li>No port scanning (that's CERBERUS v2)</li> <li>Won't detect devices that block ARP responses entirely</li> <li>No persistent background daemon — runs in terminal</li> <li>No push/email alerts, just logged output</li> </ul> <h2> Architecture: Four Modules, One Purpose </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>cerberus/ ├── cerberus_scan.py # Main orchestrator ├── cerberus_logger.py # Reusable logging setup ├── router_detector.py # Network auto-configuration ├── npcap_installer.py # Windows Npcap helper ├── known_devices.json # Auto-generated trusted list └── cerberus.log # Auto-generated activity log </code></pre> </div> <p>The design is intentionally modular. Each file has one job. <code>cerberus_scan.py</code> orchestrates everything but doesn't do the heavy lifting itself — it delegates to the other modules and handles the main execution flow.</p> <p>The two auto-generated files (<code>known_devices.json</code> and <code>cerberus.log</code>) are created at runtime. You don't set them up. CERBERUS creates them when it first runs.</p> <blockquote> <p><strong>Security note:</strong> <code>known_devices.json</code> stores MAC addresses of your trusted devices.</p> </blockquote> <h2> Deep Dive: How Each Component Works </h2> <h3> 1. Router Detection — <code>router_detector.py</code> </h3> <p>Before scanning anything, CERBERUS needs to know what network to scan. This is where most tools either require manual configuration or make a dumb assumption. CERBERUS tries to be smarter.</p> <p>The <code>RouterDetector</code> class uses Python's <code>netifaces</code> library to query the system's default gateway:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">gateways</span> <span class="o">=</span> <span class="n">netifaces</span><span class="p">.</span><span class="nf">gateways</span><span class="p">()</span> <span class="n">gateway_ip</span><span class="p">,</span> <span class="n">interface</span> <span class="o">=</span> <span class="n">gateways</span><span class="p">[</span><span class="sh">'</span><span class="s">default</span><span class="sh">'</span><span class="p">][</span><span class="n">netifaces</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">][:</span><span class="mi">2</span><span class="p">]</span> </code></pre> </div> <p>Once it has the interface, it fetches the actual subnet mask:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">addrs</span> <span class="o">=</span> <span class="n">netifaces</span><span class="p">.</span><span class="nf">ifaddresses</span><span class="p">(</span><span class="n">interface</span><span class="p">)</span> <span class="n">netmask</span> <span class="o">=</span> <span class="n">addrs</span><span class="p">[</span><span class="n">netifaces</span><span class="p">.</span><span class="n">AF_INET</span><span class="p">][</span><span class="mi">0</span><span class="p">][</span><span class="sh">'</span><span class="s">netmask</span><span class="sh">'</span><span class="p">]</span> <span class="n">cidr</span> <span class="o">=</span> <span class="nf">sum</span><span class="p">(</span><span class="nf">bin</span><span class="p">(</span><span class="nf">int</span><span class="p">(</span><span class="n">x</span><span class="p">)).</span><span class="nf">count</span><span class="p">(</span><span class="sh">'</span><span class="s">1</span><span class="sh">'</span><span class="p">)</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">netmask</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">))</span> <span class="n">network_address</span> <span class="o">=</span> <span class="sa">f</span><span class="sh">"</span><span class="si">{</span><span class="n">network_addr</span><span class="si">}</span><span class="s">/</span><span class="si">{</span><span class="n">cidr</span><span class="si">}</span><span class="sh">"</span> </code></pre> </div> <p>This gives you the correct CIDR notation — say, <code>192.168.1.0/24</code> or <code>10.0.0.0/22</code> — based on your actual network, not a guess.</p> <p><strong>The fallback:</strong> If subnet mask detection fails (some systems don't return this reliably), CERBERUS falls back to a <code>/24</code> assumption:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">network_base</span> <span class="o">=</span> <span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">router_ip</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">)[:</span><span class="o">-</span><span class="mi">1</span><span class="p">])</span> <span class="o">+</span> <span class="sh">'</span><span class="s">.0/24</span><span class="sh">'</span> <span class="n">TARGET_NETWORK</span> <span class="o">=</span> <span class="n">network_base</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Using default /24 network assumption: </span><span class="si">{</span><span class="n">TARGET_NETWORK</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>This covers the vast majority of home networks. If your network is different, you'll see the warning and can hardcode <code>TARGET_NETWORK</code> in the config section of <code>cerberus_scan.py</code>. It's a practical trade-off — automatic detection works 95% of the time, and the fallback handles the rest without crashing.</p> <h3> 2. ARP Scanning — The Core of CERBERUS </h3> <p>ARP (Address Resolution Protocol) is how devices on a network map IP addresses to MAC addresses. It's stateless, has no authentication, and every device on your network responds to it. That makes it ideal for discovery.</p> <p>CERBERUS builds a broadcast ARP request using Scapy:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">arp_request</span> <span class="o">=</span> <span class="nc">ARP</span><span class="p">(</span><span class="n">pdst</span><span class="o">=</span><span class="n">TARGET_NETWORK</span><span class="p">)</span> <span class="n">ether_frame</span> <span class="o">=</span> <span class="nc">Ether</span><span class="p">(</span><span class="n">dst</span><span class="o">=</span><span class="sh">"</span><span class="s">ff:ff:ff:ff:ff:ff</span><span class="sh">"</span><span class="p">)</span> <span class="n">packet</span> <span class="o">=</span> <span class="n">ether_frame</span> <span class="o">/</span> <span class="n">arp_request</span> <span class="n">answered_list</span> <span class="o">=</span> <span class="nf">srp</span><span class="p">(</span><span class="n">packet</span><span class="p">,</span> <span class="n">timeout</span><span class="o">=</span><span class="mi">3</span><span class="p">,</span> <span class="n">verbose</span><span class="o">=</span><span class="mi">0</span><span class="p">)[</span><span class="mi">0</span><span class="p">]</span> <span class="n">clients</span> <span class="o">=</span> <span class="p">[]</span> <span class="k">for</span> <span class="n">sent</span><span class="p">,</span> <span class="n">received</span> <span class="ow">in</span> <span class="n">answered_list</span><span class="p">:</span> <span class="n">clients</span><span class="p">.</span><span class="nf">append</span><span class="p">({</span><span class="sh">"</span><span class="s">ip</span><span class="sh">"</span><span class="p">:</span> <span class="n">received</span><span class="p">.</span><span class="n">psrc</span><span class="p">,</span> <span class="sh">"</span><span class="s">mac</span><span class="sh">"</span><span class="p">:</span> <span class="n">received</span><span class="p">.</span><span class="n">hwsrc</span><span class="p">})</span> </code></pre> </div> <p><code>ARP(pdst=TARGET_NETWORK)</code> creates an ARP request asking "who has every IP in this range?"</p> <p><code>Ether(dst="ff:ff:ff:ff:ff:ff")</code> wraps it in an Ethernet broadcast frame — every device on the network receives this.</p> <p><code>srp()</code> (send/receive at Layer 2) sends the packet and listens for responses. Whatever responds gets added to the clients list with their IP and MAC.</p> <p><strong>The wake-up call:</strong></p> <p>Before the ARP scan, CERBERUS sends a broadcast ICMP ping:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">broadcast_ip</span> <span class="o">=</span> <span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">.</span><span class="nf">join</span><span class="p">(</span><span class="n">TARGET_NETWORK</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">/</span><span class="sh">'</span><span class="p">)[</span><span class="mi">0</span><span class="p">].</span><span class="nf">split</span><span class="p">(</span><span class="sh">'</span><span class="s">.</span><span class="sh">'</span><span class="p">)[:</span><span class="mi">3</span><span class="p">])</span> <span class="o">+</span> <span class="sh">'</span><span class="s">.255</span><span class="sh">'</span> <span class="nf">send</span><span class="p">(</span><span class="nc">IP</span><span class="p">(</span><span class="n">dst</span><span class="o">=</span><span class="n">broadcast_ip</span><span class="p">)</span><span class="o">/</span><span class="nc">ICMP</span><span class="p">(),</span> <span class="n">verbose</span><span class="o">=</span><span class="mi">0</span><span class="p">)</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </code></pre> </div> <p>Some devices go into a low-power state and take a moment to respond to ARP. The broadcast ping nudges them awake before the scan. It doesn't work on every device — anything that ignores pings or blocks ICMP stays invisible — but it improves discovery rates on typical home networks.</p> <h3> 3. Learning Mode vs Surveillance Mode </h3> <p>This two-phase design is the core logic of CERBERUS.</p> <p><strong>Phase 1 — Learning Mode</strong> (first run only):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">learn_network_mode</span><span class="p">():</span> <span class="n">current_devices</span> <span class="o">=</span> <span class="nf">scan_network</span><span class="p">()</span> <span class="n">known_macs</span> <span class="o">=</span> <span class="p">[</span><span class="n">device</span><span class="p">[</span><span class="sh">"</span><span class="s">mac</span><span class="sh">"</span><span class="p">]</span> <span class="k">for</span> <span class="n">device</span> <span class="ow">in</span> <span class="n">current_devices</span><span class="p">]</span> <span class="nf">save_known_devices</span><span class="p">(</span><span class="n">known_macs</span><span class="p">)</span> <span class="k">return</span> <span class="n">known_macs</span> </code></pre> </div> <p>On first run, there's no <code>known_devices.json</code>. CERBERUS detects this, scans the network, saves every discovered MAC as trusted, and creates the file. No alerts. Everything found in learning mode is considered legitimate.</p> <p><strong>Phase 2 — Surveillance Mode</strong> (every run after):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">surveillance_mode</span><span class="p">(</span><span class="n">known_macs</span><span class="p">):</span> <span class="k">while</span> <span class="bp">True</span><span class="p">:</span> <span class="n">current_devices</span> <span class="o">=</span> <span class="nf">scan_network</span><span class="p">()</span> <span class="k">for</span> <span class="n">device</span> <span class="ow">in</span> <span class="n">current_devices</span><span class="p">:</span> <span class="k">if</span> <span class="n">device</span><span class="p">[</span><span class="sh">"</span><span class="s">mac</span><span class="sh">"</span><span class="p">]</span> <span class="ow">not</span> <span class="ow">in</span> <span class="n">known_macs</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">warning</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Unknown: </span><span class="si">{</span><span class="n">device</span><span class="p">[</span><span class="sh">'</span><span class="s">ip</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="s"> - </span><span class="si">{</span><span class="n">device</span><span class="p">[</span><span class="sh">'</span><span class="s">mac</span><span class="sh">'</span><span class="p">]</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="k">if</span> <span class="n">unknown_devices</span><span class="p">:</span> <span class="n">logger</span><span class="p">.</span><span class="nf">critical</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">ALERT: </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">unknown_devices</span><span class="p">)</span><span class="si">}</span><span class="s"> intruder(s) detected!</span><span class="sh">"</span><span class="p">)</span> <span class="n">time</span><span class="p">.</span><span class="nf">sleep</span><span class="p">(</span><span class="n">SCAN_INTERVAL</span><span class="p">)</span> </code></pre> </div> <p>Every 60 seconds (configurable), CERBERUS scans, loads the trusted MAC list, and compares. Any MAC not in the trusted list triggers a <code>WARNING</code>. If unknown devices are found, <code>CRITICAL</code> level alerts fire for each one.</p> <p>The loop runs until <code>Ctrl+C</code>. No scan limit. CERBERUS watches until you tell it to stop.</p> <p><strong>Why MAC addresses and not IPs?</strong></p> <p>IP addresses change. Devices get new IPs via DHCP on every reconnect. MAC addresses are hardware identifiers — they're stable. Tracking by MAC means a device can reconnect on a different IP and CERBERUS still recognizes it.</p> <h3> 4. The Logging Module — <code>cerberus_logger.py</code> </h3> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="k">def</span> <span class="nf">setup_logging</span><span class="p">(</span><span class="n">log_file</span><span class="o">=</span><span class="sh">"</span><span class="s">cerberus.log</span><span class="sh">"</span><span class="p">,</span> <span class="n">level</span><span class="o">=</span><span class="sh">"</span><span class="s">INFO</span><span class="sh">"</span><span class="p">,</span> <span class="n">silent_mode</span><span class="o">=</span><span class="bp">False</span><span class="p">):</span> <span class="n">formatter</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nc">Formatter</span><span class="p">(</span> <span class="sh">"</span><span class="s">%(asctime)s - %(name)s - %(levelname)s - %(message)s</span><span class="sh">"</span><span class="p">,</span> <span class="n">datefmt</span><span class="o">=</span><span class="sh">"</span><span class="s">%Y-%m-%d %H-%M-%S</span><span class="sh">"</span> <span class="p">)</span> <span class="c1"># Always writes to file </span> <span class="n">file_handler</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nc">FileHandler</span><span class="p">(</span><span class="n">log_file</span><span class="p">,</span> <span class="n">mode</span><span class="o">=</span><span class="sh">"</span><span class="s">a</span><span class="sh">"</span><span class="p">,</span> <span class="n">encoding</span><span class="o">=</span><span class="sh">"</span><span class="s">utf-8</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># Console output optional </span> <span class="k">if</span> <span class="ow">not</span> <span class="n">silent_mode</span><span class="p">:</span> <span class="n">console_handler</span> <span class="o">=</span> <span class="n">logging</span><span class="p">.</span><span class="nc">StreamHandler</span><span class="p">(</span><span class="n">sys</span><span class="p">.</span><span class="n">stdout</span><span class="p">)</span> </code></pre> </div> <p>I built this as a separate module for a reason: I'll use it in future projects. Same interface, drop it in, configure the log file name and level. No rewriting.</p> <p>Key behaviors:</p> <ul> <li>Always appends to file — you don't lose previous scan history</li> <li>Console output is optional via <code>silent_mode=True</code> </li> <li>Five log levels available: DEBUG, INFO, WARNING, ERROR, CRITICAL</li> <li>Millisecond-precision timestamps on every entry</li> </ul> <p>CERBERUS uses WARNING for unknown devices and CRITICAL for confirmed intruder alerts. The distinction matters when parsing logs programmatically.</p> <h3> 5. Windows Npcap Auto-Installer — <code>npcap_installer.py</code> </h3> <p>Windows doesn't give raw socket access out of the box. Scapy needs Npcap (a packet capture driver) to function on Windows. Without it, nothing works.</p> <p>Most tools say "install Npcap manually" and leave you to figure it out. I didn't want that. The auto-installer handles it:</p> <ol> <li> <strong>Check if already installed</strong> — registry lookup + file system check + live Scapy test</li> <li> <strong>If not found</strong> — offer options: auto-install, manual install, or skip</li> <li> <strong>Auto-install path</strong> — downloads installer, runs silent install with these flags: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight conf"><code>/<span class="n">S</span> <span class="c"># Silent mode, no GUI </span><span class="n">winpcap_mode</span>=<span class="n">yes</span> <span class="c"># WinPcap API compatibility </span><span class="n">loopback_support</span>=<span class="n">yes</span> <span class="c"># Capture localhost traffic </span><span class="n">admin_only</span>=<span class="n">no</span> <span class="c"># Allow non-admin capture </span></code></pre> </div> <p>The version is currently hardcoded to Npcap 1.79. It'll work fine for the foreseeable future — Npcap doesn't have breaking releases frequently — but it's something to revisit in v2.</p> <p>This module ended up being more code than the scanner itself. Building it taught me more about Windows internals than I expected: registry access with <code>winreg</code>, process management with <code>subprocess</code>, installer flags, and the gap between "it works on my machine" and "it works on someone else's machine."</p> <h2> Sample Output </h2> <p><strong>Learning Mode (first run):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>================================================== PROJECT CERBERUS: The Network Sentinel ================================================== ✔️ Network detected: 192.168.1.0/24 Router: 192.168.1.1 Your IP: 192.168.1.x Interface: wlan0 -------------------------------------------------- No known devices file found. Starting learning mode... Scanning 192.168.1.0/24... Found 5 devices. Learned 5 devices. They are now trusted. </code></pre> </div> <p><strong>Surveillance Mode — clean scan:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>------------------------- Scan 1 ------------------------- Scanning 192.168.1.0/24... Found 5 devices. All devices are trusted. </code></pre> </div> <p><strong>Surveillance Mode — intruder detected:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>------------------------- Scan 4 ------------------------- Scanning 192.168.1.0/24... Found 6 devices. WARNING - Unknown: 192.168.1.108 - xx:xx:xx:xx:xx:xx CRITICAL - ALERT: 1 intruder(s) device detected! CRITICAL - INTRUDER: 192.168.1.108 - xx:xx:xx:xx:xx:xx </code></pre> </div> <p><em>For security reasons i'm not putting the original terminal outputs here.</em></p> <h2> Key Engineering Decisions </h2> <p><strong>Why Scapy over <code>subprocess</code> + system <code>arp</code>?</strong></p> <p>The alternative was calling <code>arp -a</code> via subprocess and parsing text output. That breaks when output format changes across OS versions (and it does). Scapy gives you structured data directly, cross-platform control, and fine-grained timeout/retry configuration. The learning curve is steeper, but you're not writing a brittle text parser.</p> <p><strong>Why JSON for device storage?</strong></p> <p>No database overhead for a list of MAC addresses that'll never exceed 50 entries on a home network. JSON is human-readable, directly editable, and parseable without any dependencies. If you want to add a device manually or remove one, open the file and edit it. Simple.</p> <p><strong>Why 60-second scan intervals?</strong></p> <p>30 seconds felt aggressive for passive home network monitoring — unnecessary traffic and CPU overhead. 120 seconds means an intruder goes unnoticed for two minutes. 60 is the balance. It's also directly configurable: change <code>SCAN_INTERVAL</code> in <code>cerberus_scan.py</code>.</p> <p><strong>Why separate the logging module?</strong></p> <p>Reusability. <code>cerberus_logger.py</code> has no CERBERUS-specific logic. It's a clean logging setup function. I'll drop it into the next project without touching it.</p> <h2> What I Actually Learned </h2> <p><strong>1. Scapy's documentation is scattered</strong></p> <p>Most tutorials cover sending a single ping. Understanding <code>srp()</code> (Layer 2 send/receive) versus <code>sr()</code> (Layer 3) took actual time — reading source code, not just docs. There's no single good resource that covers it end-to-end. You have to piece it together.</p> <p><strong>2. ARP is stateless. That's the attack surface.</strong></p> <p>Building this made the theory real. ARP has no authentication. Any device can respond to any ARP request, including one it didn't ask for — that's how ARP spoofing works. I understood this conceptually before. After building CERBERUS, I understood it practically.</p> <p><strong>3. Device discovery is harder than it looks</strong></p> <p>Not all devices respond to ARP every time. Sleeping devices, aggressively firewalled devices, some IoT hardware — they don't always reply. The wake-up broadcast ping helps, but it's not a complete solution. This is the core limitation that's driving CERBERUS v2: multiple discovery methods, not just ARP.</p> <p><strong>4. Windows is a different world for networking</strong></p> <p>Linux gives you raw socket access with <code>sudo</code>. Windows gates it behind a kernel driver (Npcap). Building the auto-installer taught me about Windows registry interaction, silent installer flags, and the difference between making a tool that works on your development machine versus one that someone else can actually run.</p> <p><strong>5. AI helped with syntax. Debugging was still mine.</strong></p> <p>I used AI assistance for Scapy syntax and parts of the Npcap implementation. But when something failed — wrong subnet detection, missed devices, logging output inconsistencies — figuring out why required reading logs, testing across configurations, and sometimes reading library source code. AI accelerates. It doesn't replace the diagnostic work.</p> <h2> Limitations and CERBERUS v2 </h2> <p><strong>What v1 doesn't solve:</strong></p> <ul> <li>Devices that don't respond to ARP stay invisible</li> <li>No port/service fingerprinting — you see a device, not what it's running</li> <li>No persistent daemon — closes when terminal closes</li> <li>No alerting beyond log output (no email, no webhook, no SMS)</li> <li>Npcap version hardcoded on Windows</li> </ul> <p><strong>What CERBERUS v2 is adding:</strong></p> <ul> <li>Docker containerization — runs anywhere, including Raspberry Pi</li> <li>Nmap integration for port scanning and service detection</li> <li>Multiple discovery methods (not just ARP)</li> <li>SQLite for persistent device history</li> <li>REST API for status queries</li> <li>Webhook/email notifications</li> <li>Smarter intruder classification</li> </ul> <p>v2 is in active development.</p> <h2> Quick Start </h2> <p><strong>Prerequisites:</strong></p> <ul> <li>Python 3.7+</li> <li>Linux/macOS: run with <code>sudo</code> (raw packet access requires root)</li> <li>Windows: run as Administrator (auto-installer handles Npcap) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/Ranvir2028/Cerberus-The-Network-Sentinel.git <span class="nb">cd </span>Cerberus-The-Network-Sentinel pip <span class="nb">install</span> <span class="nt">-r</span> requirements.txt </code></pre> </div> <p><strong>Run:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Linux/macOS</span> <span class="nb">sudo </span>python3 cerberus_scan.py <span class="c"># Windows (Administrator terminal)</span> python cerberus_scan.py </code></pre> </div> <p>First run enters learning mode automatically. Every run after that is surveillance.</p> <p><strong>Dependencies</strong> (from <code>requirements.txt</code>):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight properties"><code><span class="py">scapy</span><span class="p">=</span><span class="s">=2.6.1</span> <span class="py">netifaces-plus</span><span class="p">=</span><span class="s">=0.12.5</span> <span class="py">requests</span><span class="p">=</span><span class="s">=2.32.5</span> <span class="py">colorama</span><span class="p">=</span><span class="s">=0.4.6</span> </code></pre> </div> <h2> Security Note </h2> <p>Only use CERBERUS on networks you own or have explicit permission to monitor. ARP scanning sends packets to every IP in your network range. On a network you don't own, that's unauthorized network activity.</p> <h2> What's Next </h2> <p>CERBERUS v2 is being built now. The goal is a containerized network sentinel that runs continuously on a home server or Raspberry Pi, scans with multiple discovery methods, and notifies you without you having to watch a terminal.</p> <p>The v1 code is on GitHub named <em>Cerberus: The Network Sentinel</em>. Read it, break it, use it to understand ARP scanning.</p> <p><strong>GitHub:</strong> <a href="https://github.com/Ranvir2028/Cerberus-The-Network-Sentinel" rel="noopener noreferrer">github.com/Ranvir2028/Cerberus-The-Network-Sentinel</a></p> <p><strong>LinkedIn:</strong> <a href="https://www.linkedin.com/in/harshwardhan-s-ranvir-20a328378/" rel="noopener noreferrer">linkedin.com/in/harshwardhan-s-ranvir-20a328378</a></p> python security networking beginners