What’s on your Linux network?

If you’d like to know what systems and devices are attached to your local network—whether out of security concerns or simple curiosity, Linux has some really great commands for providing answers. In this post, we’ll probe a small network and see how devices can be identified.

nmap

The first tool we’ll use is nmap, which stands for Network Mapper, an open source tool for exploring networks and doing some serious security auditing. It was designed to work quickly even on large networks and provide information using raw packets to identify hosts, services, and sometimes even operating systems.

The simple scan shown below is detecting systems and devices on the local network. The “/24” portion of the target address indicates that all hosts in the 192.168.0.x IP address range are to be included.

$ nmap -sn 192.168.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 11:32 EDT
Nmap scan report for _gateway (192.168.0.1)
Host is up (0.0088s latency).
Nmap scan report for 192.168.0.5
Host is up (0.0083s latency).
Nmap scan report for 192.168.0.10
Host is up (0.018s latency).
Nmap scan report for dragonfly (192.168.0.11)
Host is up (0.00030s latency).
Nmap scan report for 192.168.0.14
Host is up (0.00039s latency).
Nmap scan report for 192.168.0.15
Host is up (0.098s latency).
Nmap scan report for 192.168.0.17
Host is up (0.047s latency).
Nmap scan report for 192.168.0.20
Host is up (0.11s latency).
Nmap scan report for 192.168.0.22
Host is up (0.0046s latency).
Nmap scan report for 192.168.0.23
Host is up (0.096s latency).
Nmap scan report for firefly (192.168.0.28)
Host is up (0.044s latency).
Nmap done: 256 IP addresses (11 hosts up) scanned in 11.78 seconds

Run the command with sudo,and you’ll also see the MAC addresses along with some vendor information:

$ sudo nmap -sn 192.168.0.0/24
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-22 08:36 EDT
Nmap scan report for router (192.168.0.1)
Host is up (0.034s latency).
MAC Address: F8:8E:85:35:7F:B9 (Comtrend)
Nmap scan report for 192.168.0.2
Host is up (0.11s latency).
MAC Address: 20:EA:16:01:55:EB (Unknown)
Nmap scan report for 192.168.0.5
Host is up (0.10s latency).
MAC Address: 02:0F:B5:5B:D9:66 (Unknown)
Nmap scan report for 192.168.0.8
Host is up (0.12s latency).
MAC Address: 86:89:DC:1B:9E:B4 (Unknown)
Nmap scan report for 192.168.0.10
Host is up (0.12s latency).
MAC Address: 3C:28:6D:D5:9C:89 (Google)
Nmap scan report for 192.168.0.12
Host is up (0.11s latency).
MAC Address: 44:65:0D:43:ED:44 (Amazon Technologies)
Nmap scan report for 192.168.0.14
Host is up (0.00025s latency).
MAC Address: 9C:3D:CF:E7:F3:71 (Netgear)
Nmap scan report for 192.168.0.17
Host is up (0.11s latency).
MAC Address: AC:63:BE:CA:10:CF (Amazon Technologies)
Nmap scan report for 192.168.0.18
Host is up (0.11s latency).
MAC Address: 04:ED:33:7C:44:C6 (Unknown)
Nmap scan report for 192.168.0.20
Host is up (0.080s latency).
MAC Address: 02:0F:B5:0D:17:27 (Unknown)
Nmap scan report for 192.168.0.22
Host is up (0.0053s latency).
MAC Address: 00:25:B3:F4:74:68 (Hewlett Packard)
Nmap scan report for firefly (192.168.0.28)
Host is up (0.053s latency).
MAC Address: 7C:67:A2:CF:9F:EF (Intel Corporate)
Nmap scan report for dragonfly (192.168.0.11)
Host is up.
Nmap done: 256 IP addresses (13 hosts up) scanned in 11.58 seconds

Notice that host names are provided when they are available to the system.

The network being scanned is my home network. The list shown may seem to include a lot of devices for a home network, but I have a small heterogenous network (one Windows 10 system, two Linux systems and a MacBook Pro) all up and running. In addition, there are at least two other computers in the house, a few tablets, two printers and a scanner. In the scan above, the “-sn” argument string is telling nmap to discover hosts but not to perform port scans.

To do port scanning of  a single system, you could use  a command like this:

$ sudo nmap -sS 192.168.0.28
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 17:00 EDT
Nmap scan report for firefly (192.168.0.28)
Host is up (0.0088s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds
2049/tcp open nfs
MAC Address: 7C:67:A2:CF:9F:EF (Intel Corporate)

As with the first nmap command shown, you could run a port scan of the entire 192.168.0.x network using 192.168.0.0/24 as the scan target.

The output from this nmap command lists the open ports and identifies the service that is running. It also identifies the device as an Intel-based system. This is a laptop running Ubuntu, though the OS wouldn’t be obvious from the output displayed.

On the other hand, the command intended to identify the OS—sudo nmap -O 192.168.0.28—did identify the system as Linux, but guessed x86_64-redhat-linux-gnu, not Ubuntu. When run against my Windows 10 system, a command like that provided a series of “aggressive OS guesses” that included more than a dozen Windows releases.

This next example is more unusual, but fairly clear if you pick out just the right details.

$ sudo nmap -sS 192.168.0.15
Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 17:05 EDT
Nmap scan report for 192.168.0.15
Host is up (0.065s latency).
All 1000 scanned ports on myphone (192.168.0.15) are closed
MAC Address: 38:30:F9:29:F8:A4 (LG Electronics (Mobile Communications))

Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds

The device shows no open ports, but we get a hint about what it is in the last line of output—(LG Electronics (Mobile Communications))—which suggests it is a cell phone. The nmap process is able to provide these details by looking up the first half of the MAC address, which is a unique identifier that indicates the device manufacturer. In this case the identifier is 38:30:F9. (You can identify device manufacturers on your own by visiting the maclookup site and plugging in the first half of any MAC address that you’re curious about.)

arp

The arp cache on your system is another place to look for information on local systems. It holds onto IP addresses along with both MAC addresses and the system interface that is used to connect to each system (in this case, all the same interface).

$ arp -a
? (192.168.0.18) at 04:ed:33:7c:44:c6 [ether] on enp0s25 
? (192.168.0.19) at 00:25:00:4e:9e:35 [ether] on enp0s25 
? (192.168.0.22) at 00:25:b3:f4:74:68 [ether] on enp0s25 
? (192.168.0.17) at ac:63:be:ca:10:cf [ether] on enp0s25 
? (192.168.0.12) at 44:65:0d:43:ed:44 [ether] on enp0s25 
? (192.168.0.20) at 02:0f:b5:0d:17:27 [ether] on enp0s25 
? (192.168.0.2) at 20:ea:16:01:55:eb [ether] on enp0s25 
? (192.168.0.24) at e8:4e:06:8a:ad:b7 [ether] on enp0s25 
? myphone (192.168.0.15) at 38:30:f9:29:f8:a4 [ether] on enp0s25 
firefly (192.168.0.28) at 7c:67:a2:cf:9f:ef [ether] on enp0s25 
? (192.168.0.10) at 3c:28:6d:d5:9c:89 [ether] on enp0s25 
_gateway (192.168.0.1) at f8:8e:85:35:7f:b9 [ether] on enp0s25 
? (192.168.0.23) at 74:d8:3e:15:b1:25 [ether] on enp0s25 
? (192.168.0.14) at 9c:3d:cf:e7:f3:71 [ether] on enp0s25 
? (192.168.0.5) at 02:0f:b5:5b:d9:66 [ether] on enp0s25 

The information on the right (following the marks) represents my annotations on the devices. My Alexa is probably one of the Amazon devices, but she couldn’t tell me her IP or Mac address when I asked, so I’ve not yet nailed that down. My primary router and range extenders are fairly clear.

Two of the hosts above show names because I just added them to my /etc/hosts file. I might add others, but only if the IPs are static.

Wrap-Up

With just a few commands, you can get a fairly good and surprisingly complete picture of your local network and all the systems and devices connecting to it.