Your home network—and everything connected to it—is like a vault. Behind your login lies tons of valuable information, from unencrypted files containing personal data to devices that can be hijacked and used for any purpose. In this post, we’ll show you how to map out your network, take a peek under the covers to see who’s talking to what, and how to uncover devices or processes may be sucking down bandwidth (or are unexpected guests on your network).
In short: You’ll be able to recognize the signs that something on your network is compromised. We’ll assume you’re familiar with some networking basics, like how to find your router’s list of devices and what a MAC address is. If not, head over to our Know Your Network night school to brush up first.
Before we go any further, though, we should issue a warning: Use these powers for good, and only run these tools and commands on hardware or networks you own or manage. Your friendly neighborhood IT department wouldn’t like you port scanning or sniffing packets on the corporate network, and neither would all the people at your local coffee shop.
Step one: Make a network map
Before you even log onto your computer, write down what you think you know about your network. Start with a sheet of paper and jot down all of your connected devices. That includes things like smart TVs, smart speakers, laptops and computers, tablets and phones, or any other device that might be connected to your network. If it helps, draw a room-by-room map of your home. Then write down every device and where it lives. You may be surprised by exactly how many devices you have connected to the internet at the same time.
Network admins and engineers will recognize this step—it’s the first step in exploring any network you’re not familiar with. Do an inventory of the devices on it, identify them, and then see if the reality matches up with what you expect. If (or when) it doesn’t, you’ll be able to quickly separate what you do know from what you don’t know.
You may be tempted to just log in to your router and look at its status page to see what’s connected, but don’t do that yet. Unless you can identify everything on your network by its IP and MAC address, you’ll just get a big list of stuff—one that includes any intruders or freeloaders. Take a physical inventory first, then move on to the digital one.
Step two: Probe your network to see who’s on it
Once you have a physical map of your network and a list of all of your trusted devices, it’s time to go digging. Log in to your router and check its list of connected devices. That’ll give you a basic list of names, IP addresses, and MAC addresses. Remember, your router’s device list may or may not show you everything. It should, but some routers show you only the devices that use the router for its IP address. Either way, keep that list to the side—it’s good, but we want more information.
Download and install Nmap
Next, we’re going to turn to our old friend Nmap. For those unfamiliar, Nmap is a cross-platform, open-source network scanning tool that can find devices are on your network, along with a ton of detail on those devices. You can see the operating system they’re using, IP and MAC addresses, and even open ports and services. Download Nmap here, check out these install guides to set it up, and follow these instructions to discover hosts on your home network.
One option is to install and run Nmap from the command line (if you want a graphical interface, Zenmap usually comes with the installer). Scan the IP range you’re using for your home network. This uncovered most of the active devices on my home network, excluding a few I have some enhanced security on (although those were discoverable too with some of Nmap’s commands, which you can find in the link above).
Compare Nmap’s list with your router’s list
You should see the same things on both lists unless something you wrote down earlier is powered off now. If you see something on your router that Nmap didn’t turn up, try using Nmap against that IP address directly.
Then look at the information Nmap finds about the device. If it’s claiming to be an Apple TV, it probably shouldn’t have services like http running, for example. If it looks strange, probe it specifically for more information.
Nmap is an extremely powerful tool, but it’s not the easiest to use. If you’re a little gun-shy, you have some other options. Angry IP Scanner is another cross-platform utility that has a good-looking and easy-to-use interface that will give you a lot of the same information. Wireless Network Watcher is a Windows utility that scans wireless networks you’re connected to. Glasswire is another great option that’ll notify you when devices connect or disconnect from your network.
Step Three: Sniff around and see who everyone is talking to
By now, you should have a list of devices you know and trust, and a list of devices that you’ve found connected to your network. With luck, you’re finished here, and everything either matches up or is self-explanatory (like a TV that’s currently turned off, for example).
However, if you see any actors you don’t recognize, services running that don’t correspond to the device (Why is my Roku running postgresql?), or something else feels off, it’s time to do a little sniffing. Packet sniffing, that is.
When two computers communicate, either on your network or across the internet, they send bits of information called “packets” to one another. Put together, those packets create complex data streams that make up the videos we watch or the documents we download. Packet sniffing is the process of capturing and examining those bits of information to see where they go and what they contain.
To do this, we’ll need Wireshark. It’s a cross-platform network monitoring tool that we used to do a little packet sniffing in our guide to sniffing out passwords and cookies. In this case, we’ll be using it in a similar manner, but our goal isn’t to capture anything specific, just to monitor what types of traffic are going around the network.
To do this, you’ll need to run Wireshark over wifi in “promiscuous mode.” That means it’s not just looking for packets heading to or from your computer—it’s out to collect any packets it can see on your network.
Follow these steps to get set up:
- Download and install Wireshark
- Select your wifi adapter.
- Click Capture > Options—and as you can see in the video above (courtesy of the folks over at Hak5), you can select “Capture all in promiscuous mode” for that adapter.
Now you can start capturing packets. When you start the capture, you’re going to get a lot of information. Luckily, Wireshark anticipates this and makes it easy to filter.
Since we’re just looking to see what the suspicious actors on your network are doing, make sure the system in question is online. Go ahead and capture a few minutes’ worth of traffic. Then you can filter that traffic based on the IP address of that device using Wireshark’s built-in filters.
Doing this gives you a quick view of who that IP address is talking to and what information they’re sending back and forth. You can right-click on any of those packets to inspect it, follow the conversation between both ends, and filter the whole capture by IP or conversation. For more, check out Wireshark’s detailed filtering instructions.
You may not know what you’re looking at (yet)—but that’s where a little sleuthing comes in.
Analyze sketchy activity
If you see that suspicious computer talking to a strange IP address, use the nslookup command (in the command prompt in Windows, or in a terminal in OS X or Linux) to get its hostname. That can tell you a lot about the location or type of network your computer is connecting to. Wireshark also tells you the ports being used, so Google the port number and see what applications use it.
If, for example, you have a computer connecting to a strange hostname over ports often used for IRC or file transfer, you may have an intruder. Of course, if you find the device is connecting to reputable services over commonly used ports for things like email or HTTP/HTTPS, you may have just stumbled on a tablet your roommate never told you he owned, or someone next door stealing your wifi. Either way, you’ll have the data required to figure it out on your own.
Step four: Play the long game and log your captures
Of course, not every bad actor on your network will be online and leeching away while you’re looking for them. Up to this point, we’re taught you how to check for connected devices, scan them to identify who they really are, and then sniff a little of their traffic to make sure it’s all above board. However, what do you do if the suspicious computer is doing its dirty work at night when you’re sleeping, or someone’s leeching your wifi when you’re at work all day and not around to check?
Use network monitoring software
There are a couple of ways to address this. One option is to use a program like Glasswire, which we mentioned earlier. This software will alert you when someone’s connected to your network. When you wake up in the morning or come home from work, you can see what happened while you weren’t looking.
Check your router’s log
Your next option is to use your router’s logging capabilities. Buried deep in your router’s troubleshooting or security options is usually a tab dedicated to logging. How much you can log and what kind of information varies by router, but options may include incoming IP, destination port number, outgoing IP or URL filtered by the device on your network, internal IP address and their MAC address, and which devices on your network have checked in with the router via DHCP for their IP address (and, by proxy, which have not.) It’s pretty robust, and the longer you leave the logs running, the more information you can capture.
Custom firmware like DD-WRT and Tomato (both of which we’ve shown you how to install) allow you to monitor and log bandwidth and connected devices for as long as you want, and can even dump that information to a text file that you can sift through later. Depending on how you have your router set up, it can even email that file to you regularly or drop it on an external hard drive or NAS.
Either way, using your router’s oft-ignored logging feature is a great way to see if, for example, after midnight and everyone’s gone to bed, your gaming PC suddenly starts crunching and transmitting a lot of outbound data, or you have a regular leech who likes to hop on your wifi and start downloading torrents at odd hours.
Keep Wireshark running
Your final option, and kind of the nuclear option at that, is to just let Wireshark capture for hours—or days. It’s not unheard of, and many network administrators do it when they’re really analyzing strange network behavior. It’s a great way to pin down bad actors or chatty devices. However, it does require leaving a computer on for ages, constantly sniffing packets on your network, capturing everything that goes across it, and those logs can take up a good bit of space. You can trim things down by filtering captures by IP or type of traffic, but if you’re not sure what you’re looking for, you’ll have a lot of data to sift through when you’re looking at a capture over even a few hours. Still, it will definitely tell you everything you need to know.
In all of these cases, once you have enough data logged, you’ll be able to find out who’s using your network, when, and if their device matches up with the network map you made earlier.
Step Five: Lock your network down
If you’ve followed along to here, you’ve identified the devices that should be able to connect to your home network, the ones that actually connect, identified the differences, and hopefully figured out if there are any bad actors, unexpected devices, or leeches hanging around. Now all you have to do is deal with them, and surprisingly, that’s the easy part.
Wifi leeches will get the boot as soon as you lock down your router. Before you do anything else, change your router’s password, and turn off WPS if it’s turned on. If someone’s managed to log directly into your router, you don’t want to change other things only to have them log in and regain access. Make sure that you use a good, strong password that’s difficult to brute force.
Next, check for firmware updates. If your leech has made use of an exploit or vulnerability in your router’s firmware, this will keep them out—assuming that exploit’s been patched, of course. Finally, make sure your wireless security mode is set to WPA2 (because WPA and WEP are very easy to crack) and change your wifi password to another good, long password that can’t be brute-forced. Then, the only devices that should be able to reconnect are ones you give the new password to.
That should take care of anyone leeching your wifi and doing all their downloading on your network instead of theirs. It’ll help with wired security, too. If you can, you should also take a few additional wireless security steps, like turning off remote administration or disabling UPnP.
For bad actors on your wired computers, you have some hunting to do. If it’s actually a physical device, it should have a direct connection to your router. Start tracing cables and talking to your roommates or family to see what’s up. Worst case, you can always log back onto your router and block that suspicious IP address entirely. The owner of that set-top box or quietly plugged-in computer will come running pretty quickly when it stops working.
The bigger worry here, though, is compromised computers. A desktop that’s been hijacked and joined to a botnet for overnight Bitcoin mining, for example, or a machine infected with malware that calls home and sends your personal information to who-knows-where, can be bad.
Once you narrow your search to specific computers, it’s time to root out where the problem lies on each machine. If you’re really worried, take the security engineer’s approach to the problem: Once your machines are owned, they’re no longer trustworthy. Blow them away, reinstall, and restore from your backups. (You do have backups of your data, don’t you?) Just make sure you keep an eye on your PC—you don’t want to restore from an infected backup and start the process all over again.
If you’re willing to roll up your sleeves, you can grab yourself a solid antivirus utility and an anti-malware on-demand scanner (yes, you’ll need both), and try to clean the computer in question. If you saw traffic for a specific type of application, look to see if it’s not malware or just something someone’s installed that’s behaving badly. Keep scanning until everything turns up clean, and keep checking the traffic from that computer to make sure everything’s okay.
We’ve only really scratched the surface here when it comes to network monitoring and security. There are tons of specific tools and methods that experts use to secure their networks, but these steps will work for you if you’re the network admin for your home and family.
Rooting out suspicious devices or leeches on your network can be a long process, one that requires sleuthing and vigilance. Still, we’re not trying to drum up paranoia. Odds are you won’t find anything out of the ordinary, and those slow downloads or crappy wifi speeds are something else entirely. Even so, it’s good to know how to probe a network and what to do if you find something unfamiliar. Just remember to use your powers for good.
This story was originally published in October 2014 and was updated in October 2019 with current information and resources.