diff --git a/backend/routers/discovery.py b/backend/routers/discovery.py index 46e9e8b..154d44c 100644 --- a/backend/routers/discovery.py +++ b/backend/routers/discovery.py @@ -115,10 +115,15 @@ def _tcp_check(ip: str) -> bool: def _scan_one(ip: str, dns_server: str, vlan_id: int, cidr: str, tcp_check: bool = False) -> Optional[DiscoveredHost]: - if not _ping(ip): - return None - if tcp_check and not _tcp_check(ip): - return None + if tcp_check: + # TCP-only mode: bypasses ICMP entirely. + # Proxy-ARP gateways never spoof TCP replies, so ghost IPs are filtered + # without ICMP. Also catches hosts whose ICMP is rate-limited under load. + if not _tcp_check(ip): + return None + else: + if not _ping(ip): + return None hostname = _ptr_lookup(ip, dns_server) if dns_server else None return DiscoveredHost(ip=ip, hostname=hostname, vlan_id=vlan_id, cidr=cidr) diff --git a/frontend/src/i18n.js b/frontend/src/i18n.js index 7f9ad49..92c3879 100644 --- a/frontend/src/i18n.js +++ b/frontend/src/i18n.js @@ -128,8 +128,8 @@ const LANGS = { scanAddresses: 'adresses sur', scanVlans: 'VLAN(s)', scanNote: 'Chaque hôte est pingé puis interrogé en DNS.', - tcpCheckLabel: 'Vérification TCP (anti proxy-ARP)', - tcpCheckHint: 'Sonde chaque hôte sur les ports 22, 80, 443, 8080, 8443. Élimine les faux positifs UniFi/proxy-ARP. Peut rater uniquement les équipements dont le pare-feu bloque silencieusement (DROP) tous ces ports — un hôte renvoyant RST sur un port fermé est correctement détecté.', + tcpCheckLabel: 'Scan TCP (anti proxy-ARP)', + tcpCheckHint: 'Utilise TCP au lieu de ICMP pour détecter les hôtes actifs (ports 22, 80, 443, 8080, 8443). Élimine les faux positifs proxy-ARP (UniFi…) et détecte les équipements dont le ping ICMP est bridé sous charge. Peut rater les équipements qui bloquent silencieusement (DROP) tous ces ports.', hostsFound: 'hôte(s) découvert(s)', addressesScanned: 'adresses scannées', newHosts: 'nouveaux', @@ -287,8 +287,8 @@ const LANGS = { scanAddresses: 'addresses on', scanVlans: 'VLAN(s)', scanNote: 'Each host is pinged then queried via DNS.', - tcpCheckLabel: 'TCP check (anti proxy-ARP)', - tcpCheckHint: 'Probes each host on ports 22, 80, 443, 8080, 8443. Eliminates UniFi/proxy-ARP false positives. Only misses devices whose firewall silently drops (DROP) all probed ports — a host sending RST on a closed port is correctly detected.', + tcpCheckLabel: 'TCP scan (anti proxy-ARP)', + tcpCheckHint: 'Uses TCP instead of ICMP to detect live hosts (ports 22, 80, 443, 8080, 8443). Eliminates proxy-ARP false positives (UniFi…) and detects hosts whose ICMP is rate-limited under load. May miss devices that silently block (DROP) all probed ports.', hostsFound: 'host(s) found', addressesScanned: 'addresses scanned', newHosts: 'new', @@ -445,8 +445,8 @@ const LANGS = { scanAddresses: 'direcciones en', scanVlans: 'VLAN(s)', scanNote: 'Cada host es pingado y luego consultado en DNS.', - tcpCheckLabel: 'Verificación TCP (anti proxy-ARP)', - tcpCheckHint: 'Sondea cada host en los puertos 22, 80, 443, 8080, 8443. Elimina falsos positivos UniFi/proxy-ARP. Solo puede omitir equipos cuyo firewall descarta silenciosamente (DROP) todos los puertos sondeados — un host que responde RST en un puerto cerrado se detecta correctamente.', + tcpCheckLabel: 'Escaneo TCP (anti proxy-ARP)', + tcpCheckHint: 'Usa TCP en lugar de ICMP para detectar hosts activos (puertos 22, 80, 443, 8080, 8443). Elimina falsos positivos de proxy-ARP (UniFi…) y detecta hosts con ICMP limitado bajo carga. Puede omitir equipos que bloqueen silenciosamente (DROP) todos los puertos sondeados.', hostsFound: 'host(s) descubierto(s)', addressesScanned: 'direcciones escaneadas', newHosts: 'nuevos',