In the digital age, internet speed is becoming critical for work, study, and entertainment. A sudden drop in speed is often puzzling, even if your data plan allows for high speeds and your router is in good working order. Often, this behavior is caused by unauthorized access by third parties using your connection to download files or watch videos.
There are numerous graphical utilities and mobile apps that promise instant network analysis, but they often require the installation of additional software that may contain ads or malware. It's much more reliable and professional to use the operating system's built-in tools, which don't require downloading from untrusted sources. The Windows command line provides direct access to network protocols, allowing you to see the true picture of your connections without intermediaries.
Using the management console gives the network administrator complete control over diagnostics. You can not only see the IP addresses of all active nodes but also determine their physical MAC addresses, which is key to identifying equipment. In this article, we'll detail the steps you can take to quickly identify "uninvited guests" and take steps to secure your home infrastructure.
Basic network diagnostics before testing
Before moving on to complex commands, you need to ensure that your device is communicating correctly with the router. Any diagnostic begins with checking the current IP address assigned to your computer, as it serves as the gateway for further requests. Without knowing your own local network address, you won't be able to correctly interpret the data received from the router.
To get the initial information, open the console by pressing the combination Win + R, by entering cmd and pressing Enter. The first step is to enter the command ipconfig, which will display all network interfaces. You need to find the section corresponding to your wireless connection (usually labeled "Wireless" or containing the word "Wireless").
In the list of parameters that opens, find the line "Default Gateway." The digital code indicated next to this parameter usually looks like this: 192.168.0.1 or 192.168.1.1This address is the coordinates of your router on the local network, and it is this address that we will access to obtain a list of clients.
⚠️ Attention: If the Default Gateway field displays an address that begins with
169.254.x.x, this means the device hasn't received an address from the router's DHCP server. In this case, there's no internet connection, and checking connected devices is impossible until the connection issue is resolved.
It's also worth paying attention to the physical address (MAC address) of your network card. It consists of six pairs of hexadecimal characters separated by hyphens. Remember or write down this code, as when analyzing the overall list of devices, you'll need to exclude your own equipment to avoid miscalculations.
Using the ARP table to identify devices
The ARP (Address Resolution Protocol) maps IP addresses to physical MAC addresses on a local network. When your computer exchanges data with a router or other network devices, it automatically stores these records in a special cache. This cache, or ARP table, is a gold mine for administrators who want to understand who's nearby.
To display the contents of this table on the screen, you must enter the command in the command line. arp -aAfter pressing Enter, the system will display a list of all IP addresses your computer has recently interacted with, along with their corresponding MAC addresses. This is the fastest way to see active nodes without using third-party software.
However, this method has a caveat: the table only displays devices that your PC has already communicated with. If a device is simply connected to WiFi and waiting for traffic but hasn't transmitted packets to your computer, it may not be listed. To force a poll of the entire network, you can use the ping command on the broadcast address, but in modern versions of Windows, this is often blocked by security settings.
An alternative is to manually search for addresses within your subnet. If the gateway has an address 192.168.1.1, then devices can have addresses from 192.168.1.2 to 192.168.1.254By running a ping loop, you force the computer to query every possible address, and then restart arp -a will show the full picture.
How to run mass ping in Windows?
To automatically query all addresses in the 192.168.1.x subnet, you can use the following command from the command line: for /L %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i . This will take some time, but will fill the ARP table with the maximum number of devices.
Once you have the list, compare the MAC addresses with those you know. Network equipment manufacturers have unique prefixes (the first three pairs of characters) that can be checked in open OUI databases. This will help you determine whether an unknown device is a phone, a laptop, or, for example, a security camera.
Analyzing active connections via Netstat
Utility netstat is a more powerful tool that displays not only local addresses but also established connections to remote servers, as well as ports awaiting connections. While it's more often used to diagnose internet connection problems, it can also help identify abnormal activity.
Enter the command netstat -anto see all active connections and listening ports in numerical format. The key -a shows all connections, and -n Displays addresses and port numbers numerically, without attempting to resolve names, which speeds up the display of information. In the "Foreign Address" column, you'll see where requests from your devices are directed.
If you see many established connections (ESTABLISHED) with unknown IP addresses, this could indicate background applications or, in the worst case, malware activity. However, for checking WiFi connections specifically, this utility is less informative than ARP, as it shows logical connections rather than the physical presence of devices on the air.
However, the combination netstat -r allows you to view the routing table. This is useful if you have multiple gateways or static routes configured on your network. Make sure the default gateway (line 0.0.0.0) leads directly to the address of your router, and not to any proxy server or unknown device.
⚠️ Attention: Command line interfaces and available parameters may vary slightly depending on the operating system version (Windows 7, 10, 11) and security updates. Always consult official Microsoft documentation if standard commands don't return the expected result.
Advanced port scanning methods
For a more in-depth analysis, you can use the built-in capabilities of PowerShell, which is a modern replacement for the classic CMD. The cmdlet Test-NetConnection Allows you to check the availability of a specific device's port. This is especially useful if you want to know whether the web interface is open at a given IP address or if a printer is working there.
An example command to check the availability of port 80 (web interface) on address 192.168.1.50 looks like this:
Test-NetConnection -ComputerName 192.168.1.50 -Port 80
If you receive the following in response: True, which means the device is active and responding to requests. This confirms its presence on the network even if it isn't visible in the ARP cache due to power-saving settings. This method takes longer, as it requires checking each address individually or writing scripts, but it produces more accurate results.
Also worth mentioning is the team nbtstat -A IP_address (Note the capital A). It allows you to retrieve the NetBIOS table of a remote computer if it is running Windows. In response, you can get the computer's hostname, which greatly simplifies identification. For example, instead of a generic MAC address, you'll see the name IVAN-LAPTOP or SMART-TV-LIVING.
Using these tools requires a basic understanding of network topology. Don't be intimidated by the large number of lines and numbers: the key is to find repeating patterns and unknown node names. A systematic approach allows you to filter out system processes and focus on user devices.
Interpretation of the obtained data and correspondence table
After collecting the information, comes the analysis phase. You'll need to match the IP address, MAC address, and possibly the hostname. To structure this process, it's helpful to use a spreadsheet. Below is an example of what the data might look like after scanning a typical home network.
| IP Address | MAC Address (Physical) | Device name (if available) | Status |
|---|---|---|---|
| 192.168.1.1 | AA-BB-CC-11-22-33 | TP-Link_Router | Gateway (Router) |
| 192.168.1.105 | 11-22-33-AA-BB-CC | DESKTOP-PC | Your PC (Known) |
| 192.168.1.112 | 44-55-66-DD-EE-FF | iPhone-Alex | Smartphone (Known) |
| 192.168.1.118 | 99-88-77-66-55-44 | Unknown | Suspicious |
In this table, the fourth row is marked as suspicious. If you don't recognize the device by its MAC address (the first six characters often indicate the manufacturer, such as Apple, Samsung, or Intel) and name, you should be wary. This is especially true if there is more than one such row.
Please note that some devices may use "MAC address randomization" to protect your privacy. This means your phone may present itself to the router with a different physical address each time. However, this is less likely to happen to other devices that have connected without your knowledge, unless they use special security measures.
Security measures and blocking of unwanted clients
If a command line check confirms your suspicions and you've detected an intruder, you need to act quickly. The simplest, but not the most reliable, method is to change your WiFi password. This will disconnect all devices, and you'll have to reconnect them using a new, complex password.
A more advanced approach is to use MAC filtering. Access your router settings via a browser (using the gateway address we found at the beginning) and find the "Wireless MAC Filtering" section. Add only the MAC addresses of your trusted devices and enable "Allow only listed" mode. Now, even with the password, an attacker won't be able to connect.
Also, make sure WPS is disabled on your router. This technology simplifies connection, but it's one of the most vulnerable entry points for hackers. While you can't check this in the command line, it's a critical step for your network's security.
☑️ WiFi Security Checklist
⚠️ Attention: Be extremely careful when enabling MAC filtering. If you enter an incorrect address or make a mistake in the numbers, you will block your own network access, and to restore access, you will need to physically reset the router using the reset button on the device.
Frequently Asked Questions (FAQ)
Is it possible to find out what websites a connected device is visiting via the command line?
No, using standard Windows command line tools (cmd) Viewing the traffic of other devices on the network is impossible. This requires complex packet sniffing methods (such as ARP spoofing) and specialized software (Wireshark), as well as access to the router's configuration. Furthermore, most modern traffic is protected by the HTTPS protocol, which hides the content of pages even when intercepted.
Why does the arp -a command show fewer devices than there actually are?
The ARP table stores only the addresses with which your computer has recently exchanged data. Devices that are simply connected to WiFi and in idle mode may not appear in the list. For a complete list, it's best to use the router's web interface, which queries all clients directly, or use the mass ping method described above.
What should I do if I found someone else's device but can't change the router settings?
If you don't know the password for your router's admin panel, try the standard combinations (admin/admin) found on the sticker on the bottom of the device. If the password was previously changed and you don't remember it, the only solution is to reset the router to factory settings using the Reset button, after which you'll have to set up your internet connection again.
Does having a "neighbor" on my WiFi affect my internet speed?
Yes, the wireless channel is a shared medium. If an unknown user is actively downloading files, watching 4K videos, or torrenting, your speed is guaranteed to drop and your ping will increase. This is especially noticeable in the evening, when channels are already congested.