DEV Community

Cover image for From a Friend's Suggestion to My First Open-Source Tool
Ivan 'w1ldy0uth' Shurygin
Ivan 'w1ldy0uth' Shurygin

Posted on

From a Friend's Suggestion to My First Open-Source Tool

#network #python #security #opensource

A couple of years ago, a friend of mine — half-joking, half-serious — said: "you should write an ARP scanner, it's a good exercise."

I had some Python experience, knew vaguely what ARP was, and had nothing better to do that weekend. So I did it. A single arp.py file using Scapy, broadcasting ARP requests to discover hosts on the local subnet, with a hardcoded /24 CIDR. Rough as it was, it worked — and I felt unreasonably proud of it.

Then I kept going.

The First Burst (2020–2021)

With the ARP scanner done, the next obvious question was: which of these hosts have open ports? So I added a TCP port scanner — another standalone script, ports hardcoded, scanning consecutively. On a range of 1024 ports with a 3-second timeout each, you'd be waiting a while. I also added a simple ICMP pinger around the same time, again as its own file taking a single IP as argument.

By the end of this phase I had three separate scripts that didn't really talk to each other. Functional, but not a tool in any meaningful sense.

The Gap

Then life happened. The scripts sat untouched for about two years. I'd use them occasionally, patch something when it broke, but there was no real forward motion.

The Rework (September 2023)

In September 2023 I decided to take it seriously. The scattered scripts got collapsed into a proper package with a single entrypoint and a CLI argparser. More importantly, I added threading — parallel packet dispatch transformed the port scanner from something painfully slow into something actually usable. You could now set custom timeouts and thread counts from the command line.

This felt like the project crossing a threshold: from a collection of scripts to something that behaved like a real tool.

What sondare does today

sondare is a Python CLI for auditing local networks, built on Scapy. Here's a quick picture of what it covers:

Scanning:

sudo sondare arp                               # discover all hosts on the subnet
sudo sondare ping                              # ICMP sweep
sudo sondare tcp --target 192.168.1.1:1-1024   # TCP SYN port scan
sudo sondare udp --target 192.168.1.1:1-1024   # UDP scan
sudo sondare os --target 192.168.1.1           # OS fingerprint
Enter fullscreen mode Exit fullscreen mode

Monitoring:

sudo sondare monitor arp                                # watch for new hosts and MAC address changes
sudo sondare monitor hosts                              # live host reachability table
sudo sondare monitor ports --target 192.168.1.1:1-1024  # track port state changes
sudo sondare monitor traffic                            # live packet capture with protocol breakdown
Enter fullscreen mode Exit fullscreen mode

Visualisation (the part I'm most proud of):

sudo sondare graph --fingerprint   # interactive HTML network map with OS info
Enter fullscreen mode Exit fullscreen mode

The graph command was the last thing I added and probably the most satisfying — it renders an interactive HTML file showing all discovered hosts on your subnet, optionally with OS fingerprint data for each one.

What surprised me along the way

A few things I didn't expect:

Sequential scanning is deceptively useless. My original TCP scanner scanned ports one by one. On a /24 subnet with a modest timeout, that's minutes of waiting for something that should take seconds. Threading wasn't just an optimisation — it was the difference between a tool people would actually use and one they'd run once and forget.

UDP is genuinely hard. With TCP you get a SYN-ACK or a RST — clear signal either way. With UDP, an open port often just says nothing. You can only really distinguish "open" from "open|filtered" based on whether you get a UDP reply back, which most services don't send unless they have something to say. I ended up reporting both states honestly rather than pretending the ambiguity isn't there.

ARP spoofing detection came almost by accident. I added MAC-change monitoring to monitor arp as a fairly low-effort addition. Then I ran it on a network at a friend's place and it immediately flagged something. Whether it was a misconfigured device or something more interesting, I never found out — but that moment validated the feature more than any design review could.

Try it

If you run a homelab, work in networking, or just want to poke around your local network, give it a go:

sudo pipx install sondare --global
sudo sondare arp
Enter fullscreen mode Exit fullscreen mode

It's MIT licensed and the source is on GitHub: github.com/w1ldy0uth/sondare

I'd genuinely love to hear what's missing, what's broken, or what you'd build on top of it. This started as a friend's offhand suggestion — it'd be nice to see where a community takes it.

Top comments (0)