Network security and traffic monitoring issues often become a priority when home internet becomes unstable or data transfer speeds drop for no apparent reason. Administrators and advanced users prefer to use operating system tools that don't require third-party software and provide direct access to network interfaces. The Windows command line provides powerful tools for diagnosing the status of a local network and identifying all active nodes.
Understanding who is on your network is critical, as unregistered devices can not only steal traffic but also attack your personal computers. Standard router graphical interfaces are frequently updated, changing the layout of elements or requiring administrator passwords, which isn't always convenient for quick diagnostics. Using the console allows you to instantly get a snapshot of your network status and see a list of IP addresses your computer is currently communicating with.
In this article, we'll cover connection analysis methods in detail, from simple ARP table queries to more in-depth network session analysis. You'll learn how to interpret the data, distinguish system processes from user devices, and quickly respond to suspicious activity. Mastering these skills is essential for anyone who wants to keep their home or office network under complete control.
ARP Protocol Basics and Mapping Tables
The foundation for discovering devices on a local network is the protocol ARP (Address Resolution Protocol). Its main function is to translate IP addresses used by software into physical MAC addresses of network cards, which are required for data transfer at the hardware level. When your computer sends a request to the network, it first checks its local mapping database to determine which physical device owns the desired IP address.
This database, known as the ARP table, is stored in your PC's RAM and is updated dynamically as you work. It contains entries only for devices with which your computer has already exchanged data packets or recently attempted to communicate. This means that simply running the command won't show all theoretically possible neighbors, but only those that have shown activity toward your node.
⚠️ Note: The ARP table is dynamic and is cleared when the computer reboots or when the entry timeout expires. To obtain a complete list of all devices on the network, it is often necessary to first "poll" the entire address range to initiate packet exchange.
It's important to distinguish between static and dynamic table entries. Static entries are manually entered by the administrator and persist after a reboot, while dynamic entries are created automatically by the protocol. For connection monitoring purposes, we're interested in dynamic entries, as they reflect the real-world picture of current network interactions. Wi-Fi.
Using the arp command to list hosts
The fastest way to get information about your neighbors is to use the built-in utility arpThis command is available in all modern versions of Windows, from XP to the latest builds of Windows 11. To run it, you need to open a command prompt with standard user rights, although some operations may require administrator rights if you want to make changes.
The basic query syntax is extremely simple, consisting of just one word and a parameter. Enter the following into the console:
arp -a
After entering this command, the system will display a list of all IP addresses and their corresponding MAC addresses currently known to your computer. The output is usually grouped by network interface, which is especially convenient if you have both an Ethernet cable and a Wi-Fi adapter connected. You'll see separate blocks for each interface, indicating its IP address.
In the list, you will see columns indicating the Internet Address (IP address), Physical Address (MAC address), and Type (record type). Dynamic records are marked as dynamic, confirming their relevance. If you see many entries, this indicates active communication between your PC and other nodes, be it printers, smartphones, or other computers on the network.
Analyzing active network sessions using netstat
Unlike the ARP table, which shows the physical presence of devices, the utility netstat Network statistics displays active network connections at the port level. This allows us to see not just the device's presence on the network, but also specific running processes that exchange data with the outside world or local nodes. To monitor connections to a Wi-Fi router, we need parameters that display all connections and address values.
The command to get a complete list of active connections looks like this:
netstat -an
Parameter -a forces the utility to show all active connections and ports on which incoming requests are listened. The parameter -n Displays addresses and port numbers numerically, without attempting to resolve hostnames, significantly speeding up the output. In the resulting list, the Foreign Address column shows the remote IP addresses contacted.
By analyzing this list, you may notice duplicate IP addresses belonging to devices on your local network (usually starting with 192.168.xx). If you see multiple connections with an unknown local address, this may indicate that this device is actively scanning the network or attempting to connect to your services. This is a deeper level of analysis than simply viewing the ARP table.
☑️ Network activity analysis
Comparative characteristics of diagnostic methods
To effectively manage your network, it's important to understand which tool is best suited for a given situation. Team arp It's good for quickly checking "who's online," but it's limited by your computer's cache. netstat It shows active processes, but it won't provide a complete list of all connected devices if they aren't currently communicating with your PC. Understanding these differences saves time during diagnostics.
Below is a table comparing the main characteristics of the methods considered and their applicability in various scenarios:
| Parameter | The arp -a command | The netstat -an command | Router interface |
|---|---|---|---|
| Data type | MAC and IP addresses | Ports and connection states | Full list of clients |
| Source of information | Local OS cache | Active OS sockets | Router DHCP table |
| Speed of receipt | Instantly | Instantly | Depends on the speed of the web interface |
| Accuracy of the list | Partial (only those who have been in contact) | Only active connections | Maximum (all issued IP) |
As can be seen from the comparison, none of the console methods provides the same complete picture as logging into the router admin panel, where the table is displayed. DHCP LeasesHowever, console commands are indispensable when you need to quickly test a hypothesis or when access to the web interface is blocked or unavailable. Combining these methods yields the most reliable results.
Interpreting MAC addresses and identifying devices
When receiving a list of MAC addresses, users often face the question: "Whose address is this?" A MAC address consists of 12 hexadecimal digits separated by hyphens or colons. The first six characters (three bytes) are called the OUI (Organizationally Unique Identifier) and uniquely identify the device manufacturer. The remaining six characters are assigned by the manufacturer to a specific network card.
Knowing the manufacturer's prefix, you can guess the device behind the address. For example, prefixes from Apple, Samsung, or Xiaomi are easily recognizable. However, modern smartphones and laptops often use MAC address randomization to protect privacy on public networks. This feature may also be enabled on a home network, making it difficult to identify the device by its hardware address, as it will change every time you reconnect.
What is MAC address randomization?
This is a security feature in iOS, Android, and Windows 10/11 that generates a random MAC address instead of the real one when connecting to Wi-Fi. This prevents tracking of a device's movements across access points, but can confuse a network administrator trying to whitelist devices.
For accurate identification, it's recommended to check the IP addresses assigned by the router against known devices. It's often easier to disable Wi-Fi on a suspicious device and see if the corresponding entry disappears from the ARP table or the list of active connections. This "elimination" method is more reliable than trying to guess the manufacturer from old OUI databases.
Additional commands for advanced monitoring
For a deeper dive into network statistics, you can use the command ipconfig with different keys. For example, the parameter ipconfig /all will display complete network configuration information, including DNS servers and the physical address of your adapter. This is useful for understanding context: what subnet you're on and what your default gateway is.
Also worth mentioning is the team nbtstat, which works with the NetBIOS protocol. On Windows local networks, it can display computer names corresponding to IP addresses, making navigation much easier unless the devices are renamed to "Unnamed PC." The command nbtstat -n displays the local name, and nbtstat -a IP_address Allows you to query the name table of a remote node.
⚠️ Note: The NetBIOS protocol is considered obsolete and may be disabled in modern corporate networks or strictly configured home networks for security reasons. If the command returns an error or an empty result, this does not mean the device does not exist, but rather that its name cannot be retrieved via this protocol.
Using these tools together allows for a fairly comprehensive picture of what's happening in the air. By combining data on physical addresses, active ports, and hostnames, it's possible to determine with a high degree of certainty the nature of the activity of each connected user.
Security measures when strangers are detected
If you discover an unknown device during an inspection, don't panic, but take action. Often, it could be a guest's forgotten gadget, a smart light bulb, or a TV you simply forgot to connect. However, if the device is clearly not yours, its presence on the network creates the risk of data interception or the use of your connection for illegal purposes.
The most effective way to combat this is to change your Wi-Fi network password. Once the encryption key is changed, all devices will be disconnected, and you'll only need to reconnect your own devices. It's also recommended to switch to a stronger encryption protocol. WPA3 or at least WPA2-AES, if your equipment supports it, abandoning the outdated WEP or WPA/TKIP.
Keep in mind that the command line is only a diagnostic tool. It displays the problem, but it doesn't automatically resolve it. To block a specific MAC address (MAC filtering), you'll still need to access the router settings. However, without prior analysis via CMD, you might not even know the "guest" was there.
Frequently Asked Questions (FAQ)
Why does the arp -a command show fewer devices than are actually connected?
Your computer's ARP table only contains entries for devices with which your PC has recently exchanged data. Devices that are simply connected to the router and streaming a movie on their phone, but don't interact with your computer, won't appear in this table. To see the full list, you need access to the router's DHCP table.
Is it possible to block someone else's Wi-Fi using the command line?
No, you can't disconnect another device from the router using standard Windows tools. The console only allows you to diagnose and view addresses. Blocking (or banning by MAC address) is performed exclusively through the router's web admin interface or specialized pentesting software (which requires separate configuration and knowledge).
How to find out the device name by IP address without programs?
You can use the command nbtstat -a 192.168.x.x (substituting the desired IP). If NetBIOS is enabled on the target device and name resolution is enabled, you will see its name on the network. The command ping -a 192.168.x.x, which attempts to resolve the hostname when sending a request.
Does the number of connected users affect internet speed?
Absolutely. The Wi-Fi channel is shared among all active users. If one of the connected devices is actively downloading files, watching 4K videos, or updating games, the available bandwidth for other devices will be reduced, leading to lag and buffering.