David Trebacz Blog

I'm still having issues with the Honeywell wifi thermostat (RTH9580WF) displaying "waiting for update" on when the wifi is routed through my proxy server, so I decided to do a deep dive into what the thermostat is doing when it's getting the weather updates.

I also wanted to better understand how to trace traffic on my network.

Here's what I learned about the thermostats weather updates system by tracing the communication between the thermostat and servers. Currently:
Thermostat requests the current weather and 12 hour forecast from a server: http://104.209.185.251. This server appears to run code managed by Honeywell in Microsoft's Azure cloud.Every 15 minutes it makes two port 80 GET requests to the IP address:http://104.209.185.251/WeatherAPIProd/api/weather/current?appKey=b9db7a3d469892e8&language=en-us&locationKey=36691_PC (return current weather for location)http://104.209.185.251//WeatherAPIProd/api/weather/forecasts/hourly/12hour?appKey=b9db7a3…

I was noticing that many of the Arpwatch notification messages coming back were marked "unknown" for the manufacturer name in the MAC address lookup. I looked at the date of the file in my Ubuntu file system and it was last updated in 2012. Arpwatch uses this file to determine the manufacturer name for a given MAC address prefix.

I found a script at this blog post which looked quite promising. A few simple transformations of the file downloaded direct from IEEE, updates from the comments on the blogpost and it was ready to go. I added in the lines to copy the files to the correct locations in Ubuntu's implementation of Arpwatch.

Here is the updated script:

Here are the basic steps and commands to do it on a terminal session.

1.Create the script using nano (copy and paste the script above) into a file called update_mac_addresses and then run it.
nano ~/update_mac_addresses.sh
2. Make it executable
chmod +x ~/update_mac_addresses.sh
3. Execute the script. Sudo is only need…