Who Is On Your Network?
One of the many troubles we've all faced is Internet bandwidth issues at home (and in many cases, at our businesses). I had an issue a few months ago where my download speed was rather pathetic. I was having trouble doing video conferencing and streaming. When I would test the speed from my workstation, I would get pathetic speeds. With a bit of frustration behind me, I called up my ISP and demanded they fix the problem. Because as with most people, we all assume it's our ISP who is at fault. My ISP assured me they were getting over four times the speed I was from their modem, which sat not thirty from my workstation. I hung up with them and then went about interrogating my network to find who was using my missing bandwidth. In so doing, I ended up finding a setting on my router that limited the overall bandwidth to one-fourth of what it should be. I fixed that and was happy with all my speed.
Yet Who Is On My Network??!!
Now that I had fixed my speed troubles, I was left with wondering who the forty-odd devices on my network were. Like any I.T. person, I have a server with virtual machines running on it. A couple of years ago, I'd set up my own DHCP and DNS server so I could keep track of all the servers on my network. During that same time, I had decided to also add ever single device into DHCP and DNS so I would know what is on my network. Then when something shows up when I scan the network, I can figure out what it is. When I need to hop on my router and determine who is using up bandwidth, I can find that easily enough. With that first configuration push, I went about several steps to get everything listed on my network.
1. I installed a DHCP and DNS server.
I was and am a big fan of Raspberry Pis. As it happened, I had a few and one wasn't in use. So I installed CentOS 7 on it, connected it to my WAP, updated it, then installed DHCP and DNS daemons on it. From there I created a simple configuration file that allowed me to specify the IP address and name to a device using a single configuration file. I wrote a script that would peel that configuration file apart and generate both the DHCP configuration file, but also all the DNS configuration files (I run a single zone at home). Not only did it generate these files, but it would also test them. If there were no errors, then the DHCP and DNS daemons were restarted.
(I recently rewrote that script using Python. The original script took upwards of 45 seconds to generate the data and restart the daemons. The new Python script does this in under 2 seconds!)
2. Find the MAC addresses.
I have a whole host of smart devices in my household, including TVs, plugs, and lights. On top of that, I have many virtual machines (like I said previously, as any I.T. professional has). I also have other devices, like workstations, laptops, and a couple of cell phones and tablets. In nearly all those cases, I could find the MAC address either through the software itself like on a smart TV, or through the app installed on my cell phone for the cases of smart plugs or lights.
3. Add them to the DHCP and DNS servers.
The last step was to add all of them to the configuration file and run the script to update the DHCP and DNS servers.
And how did it work? It worked wonderfully!
But Getting Back To Who
Getting back to the original topic of this entry, how do I find what or who is on my network when I find a new device? What sorts of things can you do to find out what it is? There are a handful of steps I take when I find a new device on my network. They are listed below.
1. Scan the network.
I use the software Advanced IP Scanner to find the devices on my network. Not only does it show me the name of a device (if there is one), but it also shows the manufacturer and MAC address. If there are some standard open ports on the device, they will show up in that scan. So if you don't know what the device is, the open ports will also help determine that. Perhaps there's a web page you can view to give you a clue.
2. Scan the device for open ports.
Another option is to scan the device for open ports. My favorite tool to use here is Nmap. I run Nmap with several options, depending on how quickly I want information back.
nmap -O -sT <ip>
This is what I use to find what open TCP ports are on the device I'm after. In many cases, it will come back with the open ports and will tell you a pretty close idea of what the device is. To have Nmap scan for both UDP and TCP and all ports, you would use something like
nmap -O -p 1-65536 <ip>
But this will take longer.
3. Interrogate the open ports.
Look at the ports that are open and see if you can get to them and interact with them. If port 80 or 443 are open, see what happens when you point a web browser at it. If its another port, what happens when you telnet to that port? Do you see any message get printed?
What About The Portless
There are certain devices that have absolutely no open ports, so scanning for them won't help at all. What do you do with these? Well, in that case, you have only peripheral information available to you. There are exactly two things that I do when presented with this.
1. Try passive OS fingerprinting.
This is a little complicated, but there are plenty of references on the Internet. The technique involves pinging said device and then looking at some attributes of the ICMP packets that are often unique with each OS. The main attributes are the TTL (time to live) and TCP window size. There is a wonderful article on how it works over on How To Geek.
Once you have some information about the device, like its OS, it may give you clues as to what the device is and what it used for.
2. Look at the MAC address.
This is pretty much a last-ditch effort is to look at the MAC address. Every single device that is networked has a unique MAC address. These are assigned when the device is manufactured (but for some devices like servers, they can be manually changed.) If you use a tool like the Advanced IP Scanner and get the MAC address, simply enter that information into Google: "mac address ab:12:34:ab:12:34." Google will come back with the manufacturer that owns that range of MAC addresses. This too will give you a clue about the unknown device.
If you use all these steps and still don't know what the device is, I'm afraid there isn't much else you can do. Other than go and find every single device, turn them all off, and turn one on at a time. But at any rate, you'll have a few more tools to keep track of what is on your network.