MeshMonitor v4.9.4 adds Impersonation Detection — MeshMonitor now spots when someone on the mesh is spoofing your own node's identity, instead of quietly showing their forged packets as messages you sent.

The problem: your node, impersonated

Meshtastic channel messages carry no cryptographic sender authentication. A packet's from field is just a number, and anyone holding a channel's pre-shared key can transmit a packet claiming to be from any node — including yours. Until now, a packet that spoofed your locally-connected node's number slipped through as one of your own outgoing messages. The first message in the thread would be genuine; the rest were forgeries wearing your name.

The fix: tell a real transmission from a forgery

When your connected node genuinely sends a packet, MeshMonitor sees it as an internal event — no radio-reception metadata, a fresh hop count. A packet that actually travelled over the air looks unmistakably different: it carries rx SNR/RSSI, a decremented hop count (hop_start > hop_limit), and a radio transport (LoRa/MQTT).

So a packet claiming to be from your node but bearing those over-the-air markers cannot be one of your real transmissions. MeshMonitor flags it as suspected impersonation — it's shown as an incoming message with a clear warning, never again as your own:

Matching packets are also highlighted in the Packet Monitor, so you can inspect exactly what's being transmitted on your channels.

No false alarms from your own echoes

There's a catch: your own packet legitimately comes back to you over the air all the time — a neighbour rebroadcasts it and you overhear it, the MQTT bridge echoes it, store-and-forward replays it. Those look structurally identical to a spoof. MeshMonitor tells them apart by the packet id: a genuine echo reuses an id your node originated, while a forgery carries one you never sent. A short-lived record of the ids you've recently transmitted suppresses the echoes, so only real impersonation attempts get flagged.

Detection is per-source, so it stays correct even when you're monitoring several nodes at once.

Read more about Impersonation Detection

What's next

This is Phase 1 — detecting impersonation of your own connected node. Follow-ups on the roadmap: cryptographic verification of PKI direct messages, detecting impersonation of other nodes (building on the existing key-mismatch signal), and surfacing alerts on the Security dashboard and via notifications.

A safety note worth repeating: because channel traffic is unauthenticated, detection is observe-and-flag only — MeshMonitor won't act on a spoof automatically, since the inputs themselves can be forged. For stronger protection, consider enabling "require PKI" for direct messages on your node.

Also in 4.9.4

• Channels tab — full-height chat layout (#3385): the heading, channel selector, and controls collapse to a single compact bar, and the message pane now fills the viewport down to the composer instead of being capped partway. On mobile the controls fold into a "⋯" overflow menu.
• Airtime cutoff — contributing infrastructure nodes (#3392): the Cutoff Airtime Utilization section now shows which 3 infrastructure nodes' ChUtil were averaged into the reading, and trims the percentage to 2 decimals.
• Auto-Acknowledge {LONG_NAME}/{SHORT_NAME} fix (#3384): name tokens no longer intermittently resolve to Unknown/???? — the lookup is now scoped to the correct source.
• {NODECOUNT}/{DIRECTCOUNT} tokens (#3389): now use the same 2-hour active-node window as the Sources "active" badge, so sent messages agree with the UI.
• Telemetry charts (#3362): future-dated timestamps from nodes with bad clocks no longer stretch the chart axis into a sliver.