How to identify unknown network devices

Sooner or later you open your router's client list and find something you can't account for. ESP_4F2A1C. android-9d41b2. Or worse, a blank hostname and nothing else. Most of the time it's a smart plug somebody installed eight months ago. Occasionally it isn't.

This guide is the systematic version of "what is that thing": enumerate everything on the segment, extract MAC addresses, identify manufacturers from the OUI, and deal with the devices that resist identification.

Step 1. Enumerate every device on the segment

You want two independent views: the live ARP table and the DHCP lease table. They disagree often enough that checking both is worth the thirty seconds.

ARP table: every device your machine has recently exchanged packets with on the local segment:

# Windows and macOS
arp -a

# Linux
ip neigh

The catch: ARP only shows devices your machine has talked to. To populate it fully, sweep the subnet first so every host gets ARP-resolved:

nmap -sn 192.168.1.0/24

If you're not sure what your subnet's CIDR range actually covers, run it through the Subnet Calculator first; sweeping /24 when you're actually on a /22 misses three quarters of the address space.

DHCP lease table: log into your router or DHCP server and find the lease list (usually under DHCP, LAN, or Connected devices). This shows everything that has requested an address recently, including devices that are currently asleep and therefore absent from ARP. Leases also carry the hostname the device reported about itself, which is sometimes the entire answer (Daves-iPhone).

Devices with static IPs appear in ARP but not in the lease table. Devices that are offline right now appear in leases but not ARP. The union of both lists is your real population.

Step 2. Extract the MAC addresses you can't account for

Go down the combined list and mark every entry you can immediately attribute to a known device. What's left is your suspect list. For each suspect, record:

• MAC address
• IP address
• Hostname (if reported)
• First/last seen (if your router logs it)

Step 3. Look up the OUI

The first three octets of a MAC address are the OUI (Organizationally Unique Identifier), assigned to hardware manufacturers by the IEEE. B8:27:EB:xx:xx:xx is Raspberry Pi Foundation. F0:18:98 is Apple. EC:FA:BC is Espressif, the chip inside most cheap smart plugs, bulbs, and DIY IoT boards.

Paste each unknown MAC into the MAC Address Lookup tool and you get the registered vendor. The vendor alone usually collapses the mystery:

• Espressif / Tuya / Shelly → an IoT device. Smart plug, bulb, sensor. Ask the household or office who installed what.
• Apple / Samsung / Google → a phone, tablet, or watch. Probably a guest's, or a known device with a hostname you didn't recognise.
• Intel / Realtek / AzureWave → a laptop or desktop NIC. These warrant a closer look since general-purpose computers can do more damage than a lightbulb.
• TP-Link / Netgear / Ubiquiti → network gear. If you didn't install it, find out who did; a rogue access point is a genuine problem.

For the deeper background on what MAC addresses can and can't tell you during an investigation, see MAC address forensics.

Step 4. Watch for randomized MACs

If the lookup returns no vendor, check the second hex digit of the first octet. If it's 2, 6, A, or E, the locally administered bit is set: the address was software-generated, not burned in at the factory.

This is now the default on modern phones: iOS ("Private Wi-Fi Address") and Android both randomize the MAC per Wi-Fi network. Windows offers it as an option. So an unidentifiable MAC with the locally administered bit set is most often just somebody's phone behaving normally, not an attacker. It does mean the same physical phone can appear as a different "device" on each network it joins, which makes MAC-based device counting unreliable.

The flip side: a deliberately spoofed MAC also shows up this way, or worse, impersonates a legitimate vendor OUI. Spoofing a MAC takes one command on Linux (ip link set dev wlan0 address ...). So treat the OUI as a strong hint, never as proof of identity.

Step 5. Interrogate the device directly

When the OUI isn't enough, the device's open ports usually finish the job. Run a scan against its IP, or check specific ports with the Port Checker:

• 80/443 open → it has a web interface. Open it in a browser; IoT devices, printers, and cameras almost always identify themselves on their landing page.
• 22 open → SSH. Likely a Linux box, NAS, or Raspberry Pi.
• 9100 / 631 → printer.
• 554 → RTSP, almost certainly a camera.
• 8009 / 8443 → frequently a Chromecast or smart-TV stack.

For the methodology, see how to check open ports. Also try a reverse pass: nmap -O for OS fingerprinting, and nslookup against the IP for an mDNS/NetBIOS name.

Step 6. Decide and act

For each device, you end in one of three states:

1. Identified and authorized. Add it to your inventory with its MAC, vendor, and owner, so next month's sweep doesn't repeat this work.
2. Identified and unauthorized. A neighbour on your Wi-Fi, an employee's personal gear on the corporate VLAN. Block it at the router, then rotate the Wi-Fi passphrase; blocking the MAC alone is trivially bypassed by spoofing.
3. Unidentified. Isolate it: most routers let you block a client or drop it onto a quarantine VLAN. Watch whether anything in the building stops working; that's a surprisingly effective identification technique. If nothing breaks and nobody complains, leave it blocked.

Common mistakes

Trusting the hostname. Hostnames are self-reported. Anything can call itself HP-Printer.

Treating a missing OUI as a threat. Random MACs from phones are normal now. Locally administered bit set ≠ attacker.

Blocking by MAC and calling it done. MAC blocks stop accidents, not adversaries. If you found a genuinely hostile device, the credential it used to join is burned; rotate it.

Sweeping the wrong range. Verify your actual subnet boundaries with the Subnet Calculator before declaring the sweep complete.

TL;DR

1. Sweep the subnet (nmap -sn), then dump arp -a and the DHCP lease table. Use the union.
2. List the MACs you can't attribute.
3. Run each through the MAC Address Lookup tool; the vendor usually identifies the device class.
4. Second hex digit 2/6/A/E = randomized or spoofed MAC. On phones, that's the default and benign.
5. Port-scan the stubborn ones; web interfaces and service ports give devices away.
6. Authorize and inventory, or block and rotate credentials. Never just block and forget.

Related

• MAC Address Lookup tool: OUI to vendor in one paste
• MAC address forensics: what MACs prove and what they don't
• How to check open ports: the device-interrogation step in detail