Colasoft

Determining What is Connected to a Customer LAN or WLAN with ColaSoft MAC Scanner

Here is a good question:

At a recent POTS to Pipes you told us of the story of the customer that was upset with his local telephone company due to his internet being really slow, etc., and you had went through some steps that you could use to verify how many appliances a person actually has in their home using the internet, whether it was a WII, Playstation, etc.  I was wondering if you could provide me with those steps?

Also, your seminar was a very enjoyable one.  Walked out of there with a lot of collected information.

Thanks for your compliment and great question.

OK.  The objective is to locate the number of networking appliances that are active at someone’s site/network.  Naturally this is a delicate issue as we discussed.  Nevertheless there are a couple of things you can do.

When I am connected to a local area network, I am in what we call a broadcast domain.  We can all see each other if we are on the same LAN and the lodal router allows broadcast.  Therefore we can exchange packets directly.

One way to find out what is connected to the broadcast domain is to issue a ‘ping’ to the broadcast address of that domain.  For instance if you click on START> RUN> enter ‘cmd’, then from the Windows command line type ‘ping 192.168.1.255’ [this assumes that the network you are in is 192.168.1.0/24].  You have just sent a ping to all the people in your domain.  You will receive responses back from every connected appliance plus the default gateway, plus yourself!  A note or two here:

  • You may not get any response if broadcast is not enabled on your local router/switch
  • You can determine the domain broadcast IP by running an ‘ipconfig’ command, looking at your assigned address (something like 192.168.1.4), your default gateway (something like 192.168.1.1), and the subnetwork mask (something like 255.255.255.0).

Second, records of packet source/destination addresses are kept in tables, both in the switch/router/gateway (e.g. Linksys, D-Link, Netgear) as well as in the computers attached to those boxes. The records are the IP and MAC addresses of broadcast packets we have seen on the broadcast domain.

One thing you can do is look at the administrative screens of the local router and see what is in its tables.

Another thing you can do is run the ColaSoft MAC Scanner (get it here) that can do a scan.  I love this tool and it works great.  Below is one I ran recently at an airport!

Colasoft

Lastly, on a PC, you need to be at the command line:  START> RUN> enter ‘cmd’ .  When the window opens you can enter any of the following commands:

  • arp -a – this one shows the static and learned (dynamic) MAC addresses.  MAC addresses that are dynamic are from other devices in the user’s LAN.  The first three numbers separated by dashes are the Organizationally Unique Identifiers or OUI’s.  These identify the manufacturer.  A list of the OUI’s can be found at http://standards.ieee.org/regauth/oui/oui.txt .  So let’s say I see MAC address 00-0F-61-00-D5-29.  The 00-0F-61 is the OUI.  If I search that document I see that is an HP device.  This same procedure could be followed looking at the MAC table inside the Linksys/D-Link/Netgear device as well, except there you don’t issue a command, you look at a particular screen.arp-a
  • netstat -a, or netstat -r -these commands are helpful as well.  netstat -a will show you all the connections either active or listening on the computer.  Now listening does not mean in use.  The ones I look for are my local IP address and the either TIME-WAITING or similar status.  That tells me how many active transfers of data are in place.  Sometimes the source program will also be identified.  The netstat -r command confirms the local PC routing table with its MAC addresses, IP addresses, gateways, etc.

If you would like more information and more tools look at the following article: https://www.cellstream.com/2023/02/24/who-is-on-my-network/

Hope this helps!

Leave a Comment

Contact Us Here


Please verify.
Validation complete :)
Validation failed :(
 
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top