Network Monitoring and Alert System
- Author: Andrei-Octavian Bebu
- Email: andrei.bebu@stud.acs.upb.ro
- Master: SRIC
Introduction
This project implements a BLE-based network monitoring and anomaly detection system using an ESP32 microcontroller and a Raspberry Pi. The ESP32 operates in promiscuous mode to passively sniff Wi-Fi traffic and transmits metadata via BLE to a Raspberry Pi, which further logs, processes, and analyzes the data using InfluxDB. The goal is to simulate a lightweight IDS/IPS-like solution capable of detecting suspicious activity in a home or lab network, such as DoS attempts, MAC spoofing, and out-of-hours access.
Optional integration with Home Assistant allows security alerts to be routed to multiple channels (e.g., email, mobile push) based on severity.
Context and General Description
Block Diagram
The ESP32 module is configured in promiscuous mode to capture 802.11 beacon and probe request frames. It collects metadata including MAC addresses, RSSI, and timestamps. These packets are periodically sent via BLE to a Raspberry Pi acting as a BLE server. The Pi parses incoming data, stores it in InfluxDB, and runs basic anomaly detection logic based on:
- Out-of-hours activity
- MAC spoofing attempts
- DoS (denial-of-service)-like patterns
- Weak RSSI signals possibly indicating distant attackers
Alerts are generated based on thresholds and logged events. Higher severity events may trigger multi-channel notifications via Home Assistant integrations.
Hardware
ESP32 DevKit (ESP-WROOM-32)
Raspberry Pi 4B (or similar with BLE support)
Breadboard, USB power supplies
Optional: LEDs for visual status indication
Physical Setup: The ESP32 is deployed in a fixed location within Wi-Fi range, while the Raspberry Pi operates as a static gateway and logging processor.
Software Design
Arduino IDE / PlatformIO (ESP32 firmware)
BLEDevice.h, esp_wifi.h (ESP32 sniffing & BLE)
BlueZ / Python-BLE / bleak (Raspberry Pi BLE server)
InfluxDB 2.0 (time-series database)
Home Assistant/Slack (optional) (for alert forwarding)
Workflow Description
- ESP32 Initialization
- Wi-Fi promiscuous mode activated
- BLE client initialized
- Packet Capture & Filtering
- Capture beacon/probe packets
- Extract MAC, RSSI, channel, and timestamp
- Data Transmission
- Periodic BLE packets sent to Raspberry Pi
- Raspberry Pi Logging & Analysis
- BLE server receives and parses incoming payloads
- Data stored in InfluxDB
- Python scripts apply rules to flag anomalies
- Alerting using Slack/Home Assistans
Code Snippets
ESP32 BLE Sniffer Loop
void sniffer_callback(void* buf, wifi_promiscuous_pkt_type_t type) {
const wifi_promiscuous_pkt_t *pkt = (wifi_promiscuous_pkt_t *)buf;
if (type == WIFI_PKT_MGMT) {
int rssi = pkt->rx_ctrl.rssi;
uint8_t *mac = pkt->payload + 10;
if (rssi > RSSI_THRESHOLD) {
// Format payload
sendBLE(mac, rssi, pkt->rx_ctrl.channel);
}
}
}
Raspberry Pi - BLE Receive Handler
def on_ble_receive(data):
mac, rssi, ch, ts = parse_payload(data)
influx.write({
"measurement": "wifi_activity",
"tags": {"mac": mac, "channel": ch},
"fields": {"rssi": rssi},
"time": ts
})
check_anomalies(mac, rssi, ts)
Challenges
- BLE throughput is limited; batching or compression required
- ESP32 promiscuous mode isn’t officially supported for all firmware versions
- Managing BLE connections with stability on Pi (BlueZ had quirks)
- Time sync and timestamping between devices
- IDS logic is simplistic and rule-based, not ML-driven
- Many false positives in noisy Wi-Fi environments
Limitations
- Range is limited by BLE and RSSI reliability
- Not a true security-grade IDS, better suited for small networks or educational use
- ESP32 can only sniff 2.4GHz band
- Detection rules are hardcoded, not adaptive
References
