Knowing exactly which devices are connected to your wireless network is the first step in maintaining network security. An unknown device on your WiFi could indicate unauthorized access, malware, or a misconfigured IoT device consuming your bandwidth. This guide covers every method — from your router's built-in client list to ARP tables, network scanner apps, and OS-level tools — so you can audit your network completely and take action immediately.
If you identify a device you don't recognize, change your WiFi password immediately, enable MAC address filtering, and review your router's connection logs. An unauthorized device on your network can intercept traffic, access shared files, or use your connection for illegal activity.
Most home networks operate entirely on trust — if a device knows the WiFi password, it gets unrestricted access to the local area network (LAN). This means a single compromised or unauthorized device can communicate with every other device on the same subnet: your NAS drives, printers, smart home hubs, work laptops, and security cameras. Monitoring your connected devices list is the only way to enforce the boundaries of your trusted network perimeter.
The signs of unauthorized network access are often subtle: your internet feels slower than usual, your router's WAN traffic indicator is active when you're not using it, or your internet provider reports unusually high data consumption. By running a systematic device audit at least once a month, you can detect freeloaders, rogue IoT devices phoning home to malicious servers, and any device that has lingered beyond its welcome.
The modern home network is remarkably complex. A typical household with two adults and two children can easily have 30 to 50 connected devices: smartphones, tablets, laptops, smart TVs, gaming consoles, smart speakers, thermostats, doorbells, light bulbs, and more. Each of these represents a potential attack surface. Regular audits also help you identify devices running outdated firmware, which may contain known security vulnerabilities. For the full security hardening picture, see our WiFi Security Guide.
Your router maintains a real-time record of every device it has issued an IP address to via DHCP. This is the fastest and most authoritative source for connected device information. To access it, open a browser, navigate to your router's admin panel (see our router login guide), and look for the sections described below by brand:
Log in at router.asus.com or 192.168.1.1. On the main dashboard, click Network Map. Click on the Clients icon (usually showing a person icon with a number). This lists every connected device with its IP, MAC address, hostname, and connection type (2.4 GHz / 5 GHz / Ethernet). You can also go to Wireless > Wireless Statistics for wireless-only clients.
Log in at tplinkwifi.net or 192.168.0.1. Navigate to Advanced > Network Map or Wireless > Wireless Statistics. The Wireless Statistics tab shows MAC addresses and signal strength for wireless clients. For a complete list including wired clients, go to Advanced > IP & MAC Binding > ARP List.
Log in at routerlogin.net. Navigate to Basic > Attached Devices or Advanced > Administration > Attached Devices. This shows all wired and wireless clients with their IP, MAC, and device name. Orbi mesh systems show attached devices per node.
| Column Name | What It Means | How to Use It |
|---|---|---|
| IP Address | The local network address assigned to the device. | Ping it or use nslookup to resolve its hostname. |
| MAC Address | Hardware identifier burned into the device's NIC. | Look up the first 6 digits (OUI) to identify the manufacturer. |
| Hostname / Name | The network name the device broadcasts (set in OS settings). | Compare against your known device names list. |
| Connection Type | Whether connected via 2.4 GHz, 5 GHz, or Ethernet. | Wired devices should be things like desktops or NAS units. |
| Lease Time | How long until the IP address assignment expires. | Short remaining time means the device may soon disconnect. |
The DHCP (Dynamic Host Configuration Protocol) server running inside your router maintains a lease table — a database of every IP address it has assigned, to which MAC address, and for how long. This table is especially useful for catching devices that recently disconnected but were previously on your network.
To find the DHCP lease table, log into your router settings and navigate to: Advanced > DHCP Server > DHCP Client List (TP-Link), LAN > DHCP Server > Clients List (ASUS), or Advanced > LAN Setup (Netgear). The lease table shows both currently connected and recently expired leases (active vs. inactive), giving you a historical view of who has been on your network even if they are no longer present.
DHCP lease duration is configured in the router settings (typically 24 hours for home routers, 8 hours for some consumer models). A device that connected to your network this morning but is now turned off will still appear in the lease table until the lease expires. This makes DHCP leases a valuable forensic tool — if you see an unfamiliar device with a recently expired lease, it was on your network within the last 24 hours.
The ARP (Address Resolution Protocol) cache is a table maintained by each computer that records the IP-to-MAC address mappings of every device it has directly communicated with on the local network. Unlike the router's client list (which shows what the router sees), the ARP table shows what your specific computer has seen — useful for cross-referencing and detecting discrepancies.
Open Command Prompt and run:
arp -aFor a detailed neighbor table with state info:
Get-NetNeighborOpen Terminal and run:
arp -aFor a subnet-wide scan via nmap (install with Homebrew):
nmap -sn 192.168.1.0/24View neighbor table:
ip neigh showFull LAN scan with arp-scan:
sudo arp-scan --localnetThe ARP table output shows each device as an IP address followed by its MAC address and the interface it is reachable on. Entries marked as dynamic are real discovered devices; entries marked as static are manually added or loopback addresses. ARP entries expire after a period of inactivity (typically 2–20 minutes depending on OS), so this method is best used when devices are actively on the network.
Fing is one of the most powerful and user-friendly network discovery tools available. It goes beyond the basic ARP scan by actively fingerprinting devices using a combination of ARP, mDNS, SNMP, and UPNP probes, cross-referencing results against a proprietary device database covering millions of hardware models. This means Fing can often identify a Samsung Galaxy S24, a Ring doorbell, or a Sonos speaker by hardware signature alone — something the router's plain client list cannot do.
How to use Fing: Download the Fing app on iOS or Android (free), connect your phone to the WiFi network you want to audit, and tap Devices at the bottom of the screen. Fing automatically discovers all active devices and displays their IP, MAC, manufacturer (OUI), hostname, and detected device type. For desktop use, Fing also offers Fing Desktop for Windows and macOS, which supports continuous background monitoring and alert notifications when new devices join the network.
The continuous monitoring feature (requires a free Fing account) is particularly valuable for security — it sends an alert to your phone whenever a new device connects to your network, giving you real-time intrusion detection without requiring dedicated hardware.
Angry IP Scanner is a fast, lightweight, open-source network scanner available for Windows, macOS, and Linux. It sweeps a specified IP range (for example, 192.168.1.1–192.168.1.254) by sending ICMP ping packets to each address and recording which ones respond. It then resolves hostnames via DNS/NetBIOS and optionally scans for open ports.
192.168.1.1 to 192.168.1.254 (or 192.168.0.1 to 192.168.0.254).Unlike Fing, Angry IP Scanner does not require an account and performs purely local discovery with no external data transmission. It is best suited for technical users who want full control over their scanning parameters and prefer a desktop-first tool.
Windows provides several native tools for discovering devices on your local network without installing third-party software. These are available in all modern versions of Windows 10 and Windows 11.
Command Prompt: net view
net view /allLists all Windows computers and shared resources visible on the local network via the NetBIOS/SMB protocol. Does not show non-Windows devices.
PowerShell: Get-NetNeighbor
Get-NetNeighbor -State Reachable | Select-Object IPAddress, LinkLayerAddress, StateReturns the ARP/NDP neighbor cache showing all reachable devices. More detailed than arp -a, with state information for each entry.
File Explorer: Network
Open File Explorer and click Network in the left sidebar. Windows will scan for UPnP, SMB, and DLNA devices and display them visually. Ensure Network Discovery is enabled in Advanced Sharing Settings for this to work.
macOS provides both GUI and command-line methods for discovering local network devices. The most comprehensive approach combines the built-in ARP cache with a Bonjour browser and optional nmap scanning.
Terminal: arp -a
Run in Terminal to see the ARP cache:
arp -anmap Full Subnet Scan (via Homebrew)
nmap -sn 192.168.1.0/24Install nmap via Homebrew (brew install nmap). This performs a ping scan of the entire /24 subnet and reports all responding hosts with their MAC addresses and manufacturer.
Finder: Network Browser
Open Finder and click Network in the sidebar. macOS uses Bonjour (mDNS) to discover Apple devices, AirPlay receivers, and SMB shares. This is limited to Bonjour-announcing devices.
Linux provides the most powerful set of native network discovery tools. The following commands work across most distributions (Ubuntu, Debian, Fedora, Arch).
| Command | What It Does | Install Required? |
|---|---|---|
| ip neigh show | Shows ARP/NDP neighbor table with state and MAC addresses. | No (iproute2) |
| arp -a | Legacy ARP cache display; shows IP and MAC of known hosts. | No (net-tools) |
| nmap -sn 192.168.1.0/24 | Ping sweep of entire subnet; reports all responding hosts + MACs. | nmap package |
| sudo arp-scan --localnet | ARP scan of local network; very fast, shows all hosts. | arp-scan package |
| cat /var/lib/dhcp/dhcpd.leases | View DHCP lease database if your machine is the DHCP server. | No (if DHCP server running) |
Discovering an unfamiliar device is alarming, but not every unknown entry is an intruder. Before taking action, follow this systematic identification process:
Take the first 6 characters (OUI prefix) of the device's MAC address and look it up at macvendors.com or similar. This reveals the hardware manufacturer — helping you identify cameras (Hikvision, Ring), smart TVs (Samsung, LG), or IoT devices (Espressif for ESP8266/ESP32 modules).
Systematically check the MAC address or network name of every device in your home — including those you may have forgotten about: old tablets, smart plugs, NAS devices, printers, or game consoles on standby.
If you cannot identify the device after a thorough check, block it immediately via your router's Access Control or MAC filter. Then change your WiFi password to invalidate any cached credentials. See our guide on how to block a device on your router.
After blocking the device, use the opportunity to upgrade your network security: enable WPA3, disable WPS, create a guest network for visitors, and review your router's firmware version. See our full WiFi Security Guide.
For complete instructions on removing a device from your network using MAC filtering, ACL rules, or parental controls, see our detailed guide: How to Block a Device on Your Router. To change your WiFi password and invalidate all existing connections, visit our WiFi Password Change Guide.
Smart plugs, thermostats, cameras, and other IoT devices are often connected and forgotten. They appear as unknown entries in your client list because their hostnames are not descriptive.
Every person you give your WiFi password to can share it further. Without a guest network, the original password propagates across an uncontrolled number of devices.
Modern iOS (iOS 14+) and Android (11+) devices use randomized MAC addresses by default. The same phone appears under a different MAC each time it connects to a new network, creating apparent 'unknown' entries.
If you use a common SSID (like 'Home' or 'WiFi') and your neighbor has the same network name with the same password (common with ISP-supplied routers), their devices may occasionally appear on your network.
Open a browser and navigate to your router's default gateway IP (192.168.1.1 or 192.168.0.1). Log in with admin credentials. If you have never changed these, check the sticker on the underside of the router.
Inside the admin panel, navigate to the Wireless Statistics, Network Map, Attached Devices, or DHCP Client List section. This shows all currently connected devices with their IP address, MAC address, and hostname.
Open Command Prompt (Windows) or Terminal (macOS/Linux) and type: arp -a. This lists every device your computer has recently communicated with on the local network, including their IP and MAC address.
Download Fing on your smartphone or Angry IP Scanner on your desktop. Run a full LAN scan of your subnet (e.g., 192.168.1.0/24). These tools fingerprint devices by MAC vendor OUI, hostname, and open ports, making identification easier than the router list alone.
Create a list of every device you own with its MAC address. Cross-reference this against the router's client list and your ARP/scanner results. Any device not on your known list is a candidate for investigation or blocking.
If you suspect your ISP-supplied router has been compromised or you cannot access the admin panel after multiple attempts, contact your ISP. They can remotely audit the device or issue a replacement gateway. Also contact your ISP if your router repeatedly shows unknown devices even after changing credentials, which may indicate a compromised modem.
The most reliable method is to log into your router's admin panel (typically at 192.168.1.1 or 192.168.0.1) and navigate to the Connected Devices, DHCP Client List, or Network Map section. This shows every device currently assigned an IP address on your network. For a more complete picture, combine this with a network scanner app like Fing or Angry IP Scanner, which can detect devices the router might not list by hostname.
MAC (Media Access Control) address filtering allows you to create an allowlist or blocklist of hardware identifiers. When enabled in allowlist mode, only devices whose MAC addresses are explicitly listed can connect to your WiFi, even if they know the password. In blocklist mode, specific devices are denied access while all others can connect. Note that MAC addresses can be spoofed by determined attackers, so this should be one layer among several security measures.
In most cases, no — any device connected to your WiFi must obtain an IP address via DHCP (or set a static IP manually), and both scenarios result in the device appearing in the ARP table and typically the DHCP lease table. However, a sophisticated attacker using a static IP within your subnet's range could potentially avoid the DHCP lease list while still appearing in ARP tables. Running both an ARP scan and checking DHCP leases together provides the most comprehensive view.
ARP (Address Resolution Protocol) is the network protocol that maps IP addresses to MAC addresses on a local network. Your computer maintains an ARP cache (table) that records the IP-to-MAC address mappings of every device it has communicated with recently. Running 'arp -a' in Command Prompt or Terminal displays this cache, giving you a snapshot of active devices on your subnet. Entries expire after a period of inactivity, so the ARP table shows recently active devices rather than a complete historical list.
Fing is a well-established network discovery tool developed by Fing Ltd, a reputable company. The app scans your local network using standard ARP and mDNS discovery techniques — it does not send any of your network data to external servers during a basic scan. The free version provides excellent device identification. Fing does offer optional cloud-connected features (like continuous monitoring) that involve account registration. For basic one-time scanning, it is considered safe and is widely used by IT professionals.
Start by checking the router's DHCP client list — it often shows the hostname alongside the IP and MAC address. If the hostname is not descriptive, look up the first 6 characters of the MAC address (the OUI) using an online MAC vendor lookup tool (such as macvendors.com). This reveals the device manufacturer, which usually narrows down what the device is. You can also try pinging the IP and then running 'nslookup [IP address]' to see if the device has a resolvable hostname on your network.
Unknown devices on your network are typically caused by: (1) your own devices you've forgotten about (smart TVs, old tablets, IoT sensors, printers, mesh satellite nodes); (2) devices belonging to household members you weren't aware of; (3) an unauthorized user who obtained your WiFi password; or (4) a device with MAC address randomization that makes it appear under a different identifier each time it connects (common in modern iOS and Android devices). Systematically audit each device before assuming it is unauthorized.
The most effective method is to change your WiFi password — this immediately disconnects all devices and requires every user to re-authenticate. If you want to block a specific device without changing your password for others, use your router's MAC address filtering or Access Control List to add that device's MAC to a block/deny list. For detailed brand-specific instructions, see our guide on how to block a device on your router. You should also enable WPA3 and a strong passphrase to prevent re-entry.