A couple of simple Linux commands can provide a lot of information about the systems and devices attached to your network. Credit: ddukang / Getty Images If you’d like to know what systems and devices are attached to your local network—whether out of security concerns or simple curiosity, Linux has some really great commands for providing answers. In this post, we’ll probe a small network and see how devices can be identified. nmap The first tool we’ll use is nmap, which stands for Network Mapper, an open source tool for exploring networks and doing some serious security auditing. It was designed to work quickly even on large networks and provide information using raw packets to identify hosts, services, and sometimes even operating systems. The simple scan shown below is detecting systems and devices on the local network. The “/24” portion of the target address indicates that all hosts in the 192.168.0.x IP address range are to be included. $ nmap -sn 192.168.0.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 11:32 EDT Nmap scan report for _gateway (192.168.0.1) Host is up (0.0088s latency). Nmap scan report for 192.168.0.5 Host is up (0.0083s latency). Nmap scan report for 192.168.0.10 Host is up (0.018s latency). Nmap scan report for dragonfly (192.168.0.11) Host is up (0.00030s latency). Nmap scan report for 192.168.0.14 Host is up (0.00039s latency). Nmap scan report for 192.168.0.15 Host is up (0.098s latency). Nmap scan report for 192.168.0.17 Host is up (0.047s latency). Nmap scan report for 192.168.0.20 Host is up (0.11s latency). Nmap scan report for 192.168.0.22 Host is up (0.0046s latency). Nmap scan report for 192.168.0.23 Host is up (0.096s latency). Nmap scan report for firefly (192.168.0.28) Host is up (0.044s latency). Nmap done: 256 IP addresses (11 hosts up) scanned in 11.78 seconds Run the command with sudo,and you’ll also see the MAC addresses along with some vendor information: $ sudo nmap -sn 192.168.0.0/24 Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-22 08:36 EDT Nmap scan report for router (192.168.0.1) Host is up (0.034s latency). MAC Address: F8:8E:85:35:7F:B9 (Comtrend) Nmap scan report for 192.168.0.2 Host is up (0.11s latency). MAC Address: 20:EA:16:01:55:EB (Unknown) Nmap scan report for 192.168.0.5 Host is up (0.10s latency). MAC Address: 02:0F:B5:5B:D9:66 (Unknown) Nmap scan report for 192.168.0.8 Host is up (0.12s latency). MAC Address: 86:89:DC:1B:9E:B4 (Unknown) Nmap scan report for 192.168.0.10 Host is up (0.12s latency). MAC Address: 3C:28:6D:D5:9C:89 (Google) Nmap scan report for 192.168.0.12 Host is up (0.11s latency). MAC Address: 44:65:0D:43:ED:44 (Amazon Technologies) Nmap scan report for 192.168.0.14 Host is up (0.00025s latency). MAC Address: 9C:3D:CF:E7:F3:71 (Netgear) Nmap scan report for 192.168.0.17 Host is up (0.11s latency). MAC Address: AC:63:BE:CA:10:CF (Amazon Technologies) Nmap scan report for 192.168.0.18 Host is up (0.11s latency). MAC Address: 04:ED:33:7C:44:C6 (Unknown) Nmap scan report for 192.168.0.20 Host is up (0.080s latency). MAC Address: 02:0F:B5:0D:17:27 (Unknown) Nmap scan report for 192.168.0.22 Host is up (0.0053s latency). MAC Address: 00:25:B3:F4:74:68 (Hewlett Packard) Nmap scan report for firefly (192.168.0.28) Host is up (0.053s latency). MAC Address: 7C:67:A2:CF:9F:EF (Intel Corporate) Nmap scan report for dragonfly (192.168.0.11) Host is up. Nmap done: 256 IP addresses (13 hosts up) scanned in 11.58 seconds Notice that host names are provided when they are available to the system. The network being scanned is my home network. The list shown may seem to include a lot of devices for a home network, but I have a small heterogenous network (one Windows 10 system, two Linux systems and a MacBook Pro) all up and running. In addition, there are at least two other computers in the house, a few tablets, two printers and a scanner. In the scan above, the “-sn” argument string is telling nmap to discover hosts but not to perform port scans. To do port scanning of a single system, you could use a command like this: $ sudo nmap -sS 192.168.0.28 Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 17:00 EDT Nmap scan report for firefly (192.168.0.28) Host is up (0.0088s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 2049/tcp open nfs MAC Address: 7C:67:A2:CF:9F:EF (Intel Corporate) As with the first nmap command shown, you could run a port scan of the entire 192.168.0.x network using 192.168.0.0/24 as the scan target. The output from this nmap command lists the open ports and identifies the service that is running. It also identifies the device as an Intel-based system. This is a laptop running Ubuntu, though the OS wouldn’t be obvious from the output displayed. On the other hand, the command intended to identify the OS—sudo nmap -O 192.168.0.28—did identify the system as Linux, but guessed x86_64-redhat-linux-gnu, not Ubuntu. When run against my Windows 10 system, a command like that provided a series of “aggressive OS guesses” that included more than a dozen Windows releases. This next example is more unusual, but fairly clear if you pick out just the right details. $ sudo nmap -sS 192.168.0.15 Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-19 17:05 EDT Nmap scan report for 192.168.0.15 Host is up (0.065s latency). All 1000 scanned ports on myphone (192.168.0.15) are closed MAC Address: 38:30:F9:29:F8:A4 (LG Electronics (Mobile Communications)) Nmap done: 1 IP address (1 host up) scanned in 0.95 seconds The device shows no open ports, but we get a hint about what it is in the last line of output—(LG Electronics (Mobile Communications))—which suggests it is a cell phone. The nmap process is able to provide these details by looking up the first half of the MAC address, which is a unique identifier that indicates the device manufacturer. In this case the identifier is 38:30:F9. (You can identify device manufacturers on your own by visiting the maclookup site and plugging in the first half of any MAC address that you’re curious about.) arp The arp cache on your system is another place to look for information on local systems. It holds onto IP addresses along with both MAC addresses and the system interface that is used to connect to each system (in this case, all the same interface). $ arp -a ? (192.168.0.18) at 04:ed:33:7c:44:c6 [ether] on enp0s25 ? (192.168.0.19) at 00:25:00:4e:9e:35 [ether] on enp0s25 ? (192.168.0.22) at 00:25:b3:f4:74:68 [ether] on enp0s25 ? (192.168.0.17) at ac:63:be:ca:10:cf [ether] on enp0s25 ? (192.168.0.12) at 44:65:0d:43:ed:44 [ether] on enp0s25 ? (192.168.0.20) at 02:0f:b5:0d:17:27 [ether] on enp0s25 ? (192.168.0.2) at 20:ea:16:01:55:eb [ether] on enp0s25 ? (192.168.0.24) at e8:4e:06:8a:ad:b7 [ether] on enp0s25 ? myphone (192.168.0.15) at 38:30:f9:29:f8:a4 [ether] on enp0s25 firefly (192.168.0.28) at 7c:67:a2:cf:9f:ef [ether] on enp0s25 ? (192.168.0.10) at 3c:28:6d:d5:9c:89 [ether] on enp0s25 _gateway (192.168.0.1) at f8:8e:85:35:7f:b9 [ether] on enp0s25 ? (192.168.0.23) at 74:d8:3e:15:b1:25 [ether] on enp0s25 ? (192.168.0.14) at 9c:3d:cf:e7:f3:71 [ether] on enp0s25 ? (192.168.0.5) at 02:0f:b5:5b:d9:66 [ether] on enp0s25 The information on the right (following the marks) represents my annotations on the devices. My Alexa is probably one of the Amazon devices, but she couldn’t tell me her IP or Mac address when I asked, so I’ve not yet nailed that down. My primary router and range extenders are fairly clear. Two of the hosts above show names because I just added them to my /etc/hosts file. I might add others, but only if the IPs are static. Wrap-Up With just a few commands, you can get a fairly good and surprisingly complete picture of your local network and all the systems and devices connecting to it. Related content how-to How to examine files on Linux Linux provides very useful options for viewing file attributes, such as owners and permissions, as well as file content. By Sandra Henry Stocker Oct 24, 2024 6 mins Linux how-to 8 easy ways to reuse commands on Linux Typing the same command again and again can become tiresome. Here are a number of ways you can make repeating commands – or repeating commands but with some changes – a lot easier than you might expect. By Sandra Henry-Stocker Oct 15, 2024 5 mins Linux news SUSE Edge upgrade targets Kubernetes and Linux at the edge SUSE Edge 3.1 includes a new stack validation framework and an image builder tool that are aimed at improving the scalability and manageability of complex Kubernetes and Linux edge-computing deployments. By Sean Michael Kerner Oct 15, 2024 6 mins Edge Computing Linux Network Management Software how-to Lesser-known xargs command is a versatile time saver Boost your Linux command line options and simplify your work with xargs, a handy tool for a number of data manipulation tasks. By Sandra Henry Stocker Oct 11, 2024 6 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe