David Trebacz Blog

I'm still having issues with the Honeywell wifi thermostat (RTH9580WF) displaying "waiting for update" on when the wifi is routed through my proxy server, so I decided to do a deep dive into what the thermostat is doing when it's getting the weather updates. I also wanted to better understand how to trace traffic on my network. Here's what I learned about the thermostats weather updates system by tracing the communication between the thermostat and servers. Currently: Thermostat requests the current weather and 12 hour forecast from a server:  http://104.209.185.251 . This server appears to run code managed by Honeywell in Microsoft's Azure cloud. Every 15 minutes it makes two port 80 GET requests to the IP address: http://104.209.185.251/WeatherAPIProd/api/weather/current?appKey=b9db7a3d469892e8&language=en-us&locationKey=36691_PC  (return current weather for location) http://104.209.185.251//WeatherAPIProd/api/weather/forecasts/hourly/12hou

I was noticing that many of the Arpwatch notification messages coming back were marked "unknown" for the manufacturer name in the MAC address lookup. I looked at the date of the file in my Ubuntu file system and it was last updated in 2012. Arpwatch uses this file to determine the manufacturer name for a given MAC address prefix. I found a script at this blog post which looked quite promising. A few simple transformations of the file downloaded direct from IEEE, updates from the comments on the blogpost and it was ready to go. I added in the lines to copy the files to the correct locations in Ubuntu's implementation of Arpwatch. Here is the updated script: Here are the basic steps and commands to do it on a terminal session. 1.Create the script using nano (copy and paste the script above) into a file called update_mac_addresses and then run it. nano ~/update_mac_addresses.sh 2. Make it executable chmod +x ~/update_mac_addresses.sh 3. Execute the script. S