The 4 Best Ways to Discover Devices on an IPV4 Network
After deciding to monitor WiFi Usage to collect insights into your business or organization, you’ll be faced with the choice of how to actually retrieve the device information from your network.
It’s obvious that you can always log in to your wireless router or access point and see the IP addresses and MAC addresses. However, this type of one time, manual process does not allow for insights or intelligence to be gathered from the changing dynamics of which devices are on the network over distinct periods of time. To gain intelligence from WiFi Usage on your network, you need an automated method of gathering this information.
There are 4 major ways to quickly discover the MAC and IP address of all of the devices on your network over time. They all work a little differently and are better suited for different situations. ARP scans, DHCP leases, SNMP, and Router API Plugins can all give you device information used for wireless intelligence. We will cover each one in detail and finish with an explanation of how you can use the right one for your WiFi.
Finding Devices Using ARP
If you run an IPV4 network then you use ARP. It was first defined in 1982 by RFC 826 as a standardized way to discover MAC addresses attached to IP addresses. The way it works is simple. Every host on a network has a list of devices in its ARP table. The ARP table ties a MAC address to an IP address. If a host wants to send to an IP Address, it first checks its ARP table to see if it knows the MAC address. So what happens if the MAC address is unknown? A host can find a new MAC address by sending a broadcast to all hosts on the local network requesting a response from a certain IP address. If a host has that IP Address, it responds with its MAC address. The sending device then stores that information in its ARP table and can begin exchanging information.
ARP works on any IPV4 network where hosts can receive broadcasts on the local network. Some firewalls may restrict ARP for security reasons. Enterprise network equipment will usually have an option for “isolation mode”, which in essence means hosts cannot communicate with anything except the WLAN gateway. This can be implemented through multiple methods, but the end result is always the ARP broadcasts are discarded and cannot be used to discover other devices.
For most single networks, ARP is the easiest method of collecting WiFi Usage information. As long as your network does not have AP isolation mode enabled, and if you’re trying to monitor a single network, this is the most straightforward method. GearChunk wrote a great article on how you can use our software to get started.
Finding Devices Using DHCP
Almost every network in the world uses DHCP in one form or another. The function of a DHCP server was defined in 1997 by RFC 2131 as “a framework for passing configuration information to hosts on a TCP/IP network”. A DHCP server is critical to the function of an IPV4 network because it gives more than just an IP Address. A DHCP server can be used for multiple purposes:
- Giving a host its default router information
- Pointing to a DNS Server
- Assigning IP Addresses
- Providing Subnet Mask information
- Storing MAC address and IP address information about all local hosts
Your LAN almost certainly has a DHCP server running somewhere. Common locations for the DHCP server are to be running on a standalone server or to be included with the Access Point or firewall firmware. Most DHCP software has options for the user to manually view active leases for hosts on the network. That’s a very simple way to get an idea of how many users are on your network, but it’s not convenient or consistent. When looking at network usage you’ll want up to the minute information on what devices connect and disconnect. A DHCP server can be surprisingly helpful at this if configured properly.
Scripting to a DHCP Server
Automating information gathering is the key to collecting data. This isn’t always possible in standalone SOHO routers from manufacturers like Netgear, Linksys, etc. A SOHO router that serves all network functions (Router, Access Point, Firewall, DHCP, NAT) usually will not provide a means to extract information to another device. A Linux or Windows DHCP server, on the other hand, can run scripts and store information independently. A simple bash or Powershell script can easily query the DHCP software to view active leases. Repeating this task every few minutes will provide overtime device history, providing that information is stored in a database.
There are two crucial differences between this method and using ARP requests. The first is that A DHCP server typically assigns IP Addresses for at least 8 hours. That means if a device shows up on a network and leaves after 45 minutes, it will still appear on the active lease list for a full 8 hours. 8-hour device blocks are near useless for network device analysis. Manually reducing DHCP lease times to 30 minutes or an hour gives a more granular view of network activity. This will place more CPU load on the DHCP server, but modern hardware will find this an insignificant increase in workload.
The second difference is that while ARP only works on a single network, a single DHCP server can monitor multiple networks. The use of a standalone DHCP server is common in large network environments with tens or hundreds of VLANs. In cases like this tweaking, the settings and storing the lease information can be an easy low-cost way to develop your own network analytics. If a set and forget method seems easier, WhoFi can take the DHCP data to our API and display network analytics on a per-location basis.
Finding Devices Using SNMP
Simple Network Management Protocol or SNMP has been in use since the early 90’s to monitor and configure network devices. It’s a basic TCP/IP Protocol that is designed to remotely monitor and update network equipment. SNMP uses databases called Management Information Bases (MIBs) to store device information. MIBs use a tree-like hierarchy to structure information which allows for virtually limitless expansion.
Different manufacturers can create their own MIBs within this structure to manage their hardware in a specific way. The manufacturer provides their MIB to the users and the users can then use SNMP management software to query and update the device according to the manufacturer specifications.
SNMP Network Discovery
This all becomes relevant when we look at what information we can gather from a device, like a network controller or an access point. The MIB needs to support the Object Identifier (OID) as defined in RFC 1213 which lists active MAC addresses on a network. This is defined officially as the atPhysAddress OID and is supported by major networking equipment manufacturers such as Cisco. There’s always more than one way to crack an egg, however, and other OIDs can perform a similar function. Any SNMP function that lists active hosts will provide adequate output to perform SNMP network discovery.
Implementing SNMP Network Discovery
Before attempting SNMP monitoring, you will need to identify two key pieces of information:
- Does my network equipment support OIDs that list active hosts?
- How will I implement gathering the SNMP information and storing it in a database?
SNMP is typically managed through third-party software and a GUI, though some IT admins will configure their own SNMP scripts. The latter option is the only real candidate for this WiFi intelligence usage goal. Running a Powershell or python script on a server is a reliable method to gather your data. The downside is the significant time it takes to produce a custom device discovery tool and database using scripting tools.
Finding Devices Using a Router Plugin
The best source for information about Wireless Visitors is directly from the router, though that’s a deceptively simple task. Typically SOHO routers manufactured by Netgear, Linksys, TP-Link, Motorola, etc. do not provide a function to export data. Sending device data to an external server is only possible from specific enterprise network equipment manufacturers. Even popular Access Point choices like Ubiquiti and older Cisco equipment lack this feature natively. As technology marches forward more businesses are demanding access to this data, so a few companies now provide the option for you to use a REST API to receive the network data directly.
Cloud-managed network controllers are clear leaders in this field. Meraki and Aerohive are great choices and both provide a REST API natively in their cloud dashboard. This allows you to push information to whatever server you choose immediately after setting up a network. Their competitors include Ruckus and Aruba, who both offer a location analytics engine run as a standalone service. Location Analytics engines are deployed as a virtual machine or a VPC that connects to your network and serves as a middleman between the Network Controller and an outbound API.
Client Isolation Mode – Additional Info
Businesses that deploy guest networks are finding Client Isolation Mode also called AP Isolation Mode is an absolute must for privacy and security. Client Isolation Mode narrows communications from client devices so that they can only communicate with the Access Point and the Gateway. It’s only internet access, with no ability to communicate with other client devices. Isolation Mode is offered by every major enterprise network manufacturer, and for good reason; it provides a strong defense from would-be attackers and client devices already infected with malware. The flip side is as a network administrator, Client Isolation Mode breaks traditional networks, such as access to on-premise servers or intranet applications, which is why it’s mainly used on guest networks where only internet access is required.
The Best Method for Your Network
If you have an access point system that allows access to the data through the API, such as Meraki, Aerohive, Aruba, or Ruckus, this is the recommended method of retrieving WiFi Usage information. Even though router plugins are difficult to access nowadays, they offer the most consistent and reliable solution. Data is collected as long as your Access Points are up, which should be all the time. Router plugins are also becoming the only scanning solution in some cases as Client Isolation Mode becomes more popular.
Your next best option is an ARP scanning method. If you have AP isolation mode disabled and only one network or just a few networks, this is by far the most straightforward method. If you have multiple networks, if they are all monitored by a common DHCP server, then DHCP scanning is your next best option. And finally, if don’t have API access, and you’re running AP isolation mode on a system without a scriptable DHCP server, then a custom SNMP scripting solution is your final choice.
Determining which solution for gathering WiFi usage data will work best for your business will be determined by what networking equipment you have in place and how it is configured. If you are unsure of where to start, the easiest way is to just start scanning. Our Windows and Android agents are available for free, and you can get a quick idea of how your network looks to visiting devices. For more robust analytics you can schedule a demo with our sales team to see how WhoFi can use all of these solutions and more to create insightful, business-driven location analytics for your space.
Need to implement WiFi analytics without the hassle? Let us help you get started.