Every network security guide assumes you know what's on your network. Almost nobody does. Devices accumulate (a test Raspberry Pi that became production, a smart TV in the conference room, the printer somebody expensed) and within a year the gap between "what we think we run" and "what's actually answering ARP" is wide enough to hide real problems in.
An asset inventory closes that gap. The trick isn't building it; that's an afternoon. The trick is building it so it stays accurate, which is mostly about choosing stable identifiers and putting reconciliation on a schedule.
What to track, and what to key on
A useful inventory row contains:
| Field | Why |
|---|---|
| MAC address | The primary key: survives IP changes and re-imaging |
| Vendor (from OUI) | Sanity check and device-class hint |
| Device type / model | What it actually is |
| Hostname | Convenience; self-reported, don't trust it |
| IP address + static/DHCP | Where it lives on the network |
| Physical location | Where it lives in the building |
| Owner / responsible person | Who you call |
| Purchase date / warranty end | Lifecycle planning |
| First seen / last verified | Staleness detection |
Key on the MAC address, not the IP and not the hostname. IPs get reassigned by DHCP; hostnames are whatever the device claims. The MAC is the most stable identifier you can collect passively, with one caveat covered below.
Format: for under ~50 devices, a spreadsheet is genuinely fine and beats a half-configured asset-management system. Past that, look at something purpose-built (Snipe-IT, NetBox). The process below is identical either way.
Step 1. Discover everything on the network
Run an active sweep of each subnet:
nmap -sn 192.168.1.0/24
-sn is host discovery without a port scan: fast and low-impact. Run it from a machine on the segment so you get MAC addresses in the output (off-segment scans only see IPs, because MACs don't cross routers). If you're unsure of your subnet boundaries (common after VLAN changes or on inherited networks), verify the actual range with the Subnet Calculator before sweeping.
Then capture the ARP table the sweep populated:
# Windows / macOS arp -a # Linux ip neigh
Repeat per VLAN/subnet. Sweep at a busy time of day; you want devices powered on.
Step 2. Reconcile against the DHCP lease table
The sweep only finds devices that are awake. The DHCP lease table on your router or DHCP server catches the rest: laptops that are out of the office, seasonal equipment, anything sleeping. Export or copy the lease list and merge it with the sweep results.
The three-way comparison is where the insight is:
- In ARP but not in leases → statically configured device. Make sure its IP is documented and outside the DHCP pool.
- In leases but not in ARP → currently offline. Keep it in the inventory; flag the last-seen date.
- In both → normal DHCP client.
Step 3. Identify each device by its MAC
For every MAC in the merged list, look up the manufacturer: the OUI (first three octets) maps to the hardware vendor. Paste them through the MAC Address Lookup tool and record the result. The vendor immediately classifies most devices: Espressif means IoT, Apple means somebody's laptop or phone, Hewlett Packard plus port 9100 means printer.
For anything the OUI doesn't settle, interrogate the device: open its IP in a browser (IoT gear, printers, and cameras self-identify on their web UIs), or probe service ports with the Port Checker: SSH suggests a Linux box, 9100 a printer, 554 a camera. The full identification workflow is in how to identify unknown network devices; the deeper background on MAC evidence is in MAC address forensics.
The randomization caveat: modern iPhones and Android phones present a randomized, per-network MAC by default (second hex digit 2, 6, A, or E in the first octet). For infrastructure (servers, printers, APs, IoT), MACs are stable and excellent keys. For employee phones, either record the randomized MAC your network actually sees (it's stable per network on iOS unless the user resets it) or track phones by owner rather than by MAC and accept the fuzziness. Don't let phone churn convince you the whole inventory is broken.
Step 4. Add the offline-world data
The scan gives you the network truth. Now walk the building once and add what packets can't tell you: physical location, asset-tag numbers, serial numbers, purchase dates, warranty expirations. Photograph rack layouts and label patch panels while you're there; future-you will be grateful.
For multi-site setups, note which site each subnet serves. If you manage anything exposed to the internet, recording the public IP and confirming where it actually terminates via IP Geolocation catches the occasional surprise: a "decommissioned" VPS still answering, or a service hosted somewhere other than the region your compliance docs claim.
Step 5. Put reconciliation on a schedule
A one-time inventory is a snapshot that starts rotting immediately. The maintenance loop is what makes it an asset:
- Monthly (15 minutes): re-run the sweep, diff against the inventory. New MACs get identified and added or investigated. Known MACs that haven't been seen in 60+ days get flagged: is the device retired, stolen, or just unplugged?
- Quarterly: verify the high-value rows physically. Check warranty dates within 90 days of expiry.
- On every change: new device provisioned, device retired, device reassigned. The inventory update is part of the task, not a follow-up. This is the discipline that separates inventories that work from inventories that get rebuilt from scratch every two years.
Automate the diff if you can: a cron job running nmap -sn plus a script comparing MACs against the inventory export, mailing you only the delta. The monthly review then takes minutes.
Why this pays off
- Security: an unknown device on the network is only detectable if "known" is written down. Every incident-response process starts with the asset list.
- Troubleshooting: "which device has 192.168.1.74" stops being an archaeology project.
- Access control: the inventory is the prerequisite (and the main genuine benefit) of MAC address filtering.
- Money: warranty dates tracked means hardware replaced under warranty instead of out of pocket, and quiet subscription-attached devices (cellular routers, licensed appliances) noticed before renewal.
TL;DR
- Sweep each subnet with
nmap -sn, capturearp -a, and merge with the DHCP lease table; the union is your device population. - Key the inventory on MAC addresses; record vendor via the MAC Address Lookup tool for every row.
- Identify stubborn devices via their web UIs and open ports.
- Expect randomized MACs from phones (
2/6/A/Esecond digit); track infrastructure by MAC, phones by owner. - Add physical data: location, serials, warranty dates.
- Monthly diff, quarterly physical check, update-on-change. The schedule is the inventory.
Related
- How to identify unknown network devices: the workflow for every unrecognised MAC the diff turns up
- How to implement MAC address filtering: enforce the inventory at the access layer
- MAC Address Lookup tool: OUI to vendor, the core lookup behind all of this