How to check Wi-Fi connections: identifying strangers

When the internet suddenly starts intermittently or the speed drops to a crawl, it often leaves network owners perplexed. Before calling your provider, consider whether you might have an uninvited guest on your wireless network. Modern technology—smartphones, smart speakers, TVs—requires a stable connection, and the addition of an extra device can significantly disrupt your traffic balance.

Checking active connections is a basic home network administration skill that every user should master. It's not just a matter of page loading speed but also a personal security measure, as an unauthorized user could theoretically access shared folders or even attempt to attack your devices. In this article, we'll cover all available methods, from simple mobile apps to in-depth diagnostics via the console.

You don't need to be a network expert to perform a basic diagnosis. Most modern routers and smartphones offer convenient tools for visualizing the client list. However, it's important to understand the difference between a simply connected device and a potential threat, as well as how to correctly interpret the data obtained to avoid blocking your smart bulb.

Symptoms of unauthorized network access

The first sign of problems is often an unstable internet connection. If you notice high-definition video constantly buffering or your ping in online games fluctuates for no apparent reason, you should be wary. While this could be due to overloading your ISP's bandwidth, traffic theft cannot be ruled out, especially if the problem occurs regularly at a certain time of day.

Pay attention to the indicators on your router. A WLAN or Wi-Fi light that blinks wildly, even when you're not downloading anything and all your devices are asleep, could indicate active background data transfer by someone else. Traffic It doesn't disappear without a trace, and physical indication of port and wireless module activity is an excellent primary diagnostic tool.

⚠️ Warning: Flashing lights don't always indicate a hack. Background operating system updates, photo syncing to the cloud, or smart surveillance cameras can also generate intense network traffic. Don't panic ahead of time.

Another sign may be the inability to connect to the network from your own device if the router's connection limit is reached. Cheap router models are often limited to 10-15 clients. If you only have a couple of phones and a laptop at home, and newer devices aren't allowed to connect, someone else is clearly hogging the available bandwidth. It's also worth checking your electricity bills: cryptocurrency mining or using your network for botnet attacks can cause a slight but noticeable increase in your router's power consumption.

Sometimes users notice strange devices in the list of available printers or media servers (DLNA). If an unknown name appears in the list of available devices for streaming video to a TV, this is a sure sign that there is an intruder on the local network actively scanning the surroundings.

Checking via the router's web interface

The most reliable and accurate way to find out who's using your Wi-Fi is to delve into the "brains" of your router. The router's web interface stores a complete ARP (Address Resolution Protocol) table, which displays all devices that have received an IP address. To log in, you'll need the default gateway address, which most often looks like this: 192.168.0.1 or 192.168.1.1, as well as the administrator login and password.

After logging into the control panel (usually in the section Wireless, WLAN or Status) look for a subsection with a name like Wireless Statistics, Client List or Client listHere you'll see a table with MAC addresses and sometimes device names. Compare the number of connected devices with the actual number of devices you have. If you see more than you actually have, this is cause for concern.

Below is a table to help you decipher typical designations in interfaces from different manufacturers:

Router brand Menu section Subsection title What to look for
TP-Link Wireless Wireless Statistics MAC Address, Current Status
Asus Network map Clients (bottom) Device name, IP, MAC
Keenetic Client list Home network Name, Interface, IP address
D-Link Status Wireless Wireless Clients Table

It is important to understand that some devices may appear as Unknown or have strange alphanumeric names. This often happens with IoT devices (smart plugs, sensors). Before blocking, try unplugging the suspicious device and see if it disappears from the list. MAC address — This is a unique identifier for a network card, which is more difficult to forge than the device name, so focus on it first.

📊 How often do you check the list of connected devices?
Once a week
Once a month
Only when the internet is slow
Never checked

Using specialized applications

If you've lost access to your router settings or the interface is too complex, mobile network scanner apps can help. They analyze packets passing through your smartphone and allow you to quickly get a list of all active devices on your local network. Popular apps like Fing, WiFi Analyzer or Network Scanner make this process as simple as possible.

The advantage of such apps is their ability to automatically identify a device's manufacturer based on the first six characters of its MAC address (OUI). Instead of a confusing string of numbers, you'll see logos like Apple, Samsung, Xiaomi, or Intel, making identification much easier. The app will display not only the IP address and MAC address, but also the response time (ping), open ports, and even the device model.

However, it's important to be aware of the limitations of mobile scanners. Since a smartphone is connected to Wi-Fi, it only sees devices on the same subnet and not hidden by client isolation settings. If an attacker uses sophisticated cloaking techniques or is on a different VLAN, the mobile app may not reveal them. Furthermore, free versions often contain ads, while full functionality is available by subscription.

⚠️ Warning: Only download network analysis apps from official stores (Google Play, App Store). Third-party APK files with "Wi-Fi hacking" features often contain malicious code that will steal your passwords.

For a deeper analysis, you can use port scanning features within applications. If you see a device that opens ports specific to remote control (e.g., 22 SSH or 23 Telnet), and it's not your server—that's a warning sign. These programs allow you to take network snapshots and compare them over time to track new visitors.

Diagnostics via the command line (Windows and macOS)

For users who prefer native operating system tools without installing unnecessary software, the command line is an excellent option. In Windows, this utility cmd, and in macOS and Linux - TerminalThese tools allow you to query the system for the complete table of IP address and physical address mappings, which accumulates during operation.

To get a list, in Windows you need to run the command prompt as administrator and enter the command:

arp -a

The result will be a list of all devices with which your computer has recently communicated. You'll see IP addresses and their corresponding MAC addresses. Dynamic entries are updated automatically, while static ones must be entered manually. The command is similar in macOS, but the output formatting may differ. For more detailed information in macOS, you can use ifconfig to get your own IP and then scan the subnet.

The main difficulty with this method is the need to manually check MAC addresses against online databases to determine which manufacturer they belong to. Furthermore, the ARP table doesn't always contain all devices on the network, only those with which contact has been made. To "wake up" the network and populate the table, you can first ping all addresses in the range:

for /L %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i

This method is advantageous for its versatility and lack of third-party software, but it does require minimal console skills. Errors in command syntax can result in an empty result, which doesn't mean there's no problem, just an invalid request.

What is MAC filtering and should I enable it?

MAC filtering is a whitelist or blacklist of devices whose access is allowed or denied at the router level. This is an effective measure, but it's inconvenient in everyday life: every time guests come over with a phone, you'll have to manually enter their device's MAC address into the router settings. Attackers can also "clone" the MAC address of an authorized device, so relying solely on this method isn't recommended.

Device list analysis and identification

It's easy to get confused when you receive a list of 10-15 MAC addresses. How do you figure out which one is your laptop and which one is someone else's tablet? The first step is to create an inventory of your own devices. Write down the MAC addresses of all your gadgets (they're usually found on a sticker under the battery or in the "About Phone" -> "General Information" section).

The remaining unknown addresses should be checked using OUI (Organizationally Unique Identifier) ​​lookup services. The first three bytes of the MAC address indicate the network card manufacturer. If you see a device from Espressif, most likely it’s some kind of smart technology (a light bulb or a socket). If Huawei or Xiaomi — it could be a phone or a router in client mode. If the manufacturer is unknown or designated as Unknown, you should be wary.

Here's a checklist of what to do if you detect a suspicious device:

  • 🔍 Check the MAC address against the stickers on all your devices, including smart kettles and vacuum cleaners.
  • 📡 Check if you left guest Wi-Fi turned on, which your neighbors could connect to.
  • 🔄 Try temporarily disabling the internet on your router and see if the device disappears from the active list (online/offline).
  • 📝 Write down the MAC address of the offender for possible blocking or reporting to the police (in case of a serious incident).

Often, the "intruder" turns out to be a child's old smartphone, sitting in a drawer downloading updates in the background, or a smart TV you forgot to check. A thorough check will save you from unnecessary fuss.

☑️ Action plan if you discover an intruder

Completed: 0 / 4

Protective measures and blocking uninvited guests

If a third-party connection is confirmed, you need to act quickly and decisively. The simplest, but temporary, method is to block the MAC address directly in the router interface. However, as mentioned earlier, this address is easily spoofed. Therefore, the only guaranteed measure is to completely change the wireless network security key.

Create a new password using a combination of uppercase and lowercase letters, numbers, and special characters. The password must be at least 12 characters long. After changing the password, all devices will be disabled, and you'll have to re-enter the new key on each one. This is inconvenient, but it effectively cuts off the attacker's connection.

Additionally, it is recommended to configure the following security settings:

  • 🔒 Disable the feature WPS (Wi-Fi Protected Setup). It contains vulnerabilities that allow someone to guess the PIN code in a matter of hours.
  • 🛡️ Use a modern encryption standard WPA2-AES or WPA3Avoid legacy WEP or mixed mode WPA/WPA2-TKIP.
  • 👁️ Disable remote router management from the external network (WAN) unless you use this feature professionally.
⚠️ Note: Router interfaces and function names may vary depending on the firmware version. If you don't find the setting described, please refer to the official documentation from the manufacturer of your model or to the support forum.

It's also a good practice to create a separate guest network. This isolates guest devices from your main local network, where computers with important data and network-attached storage (NAS) devices are located. Even if guests (or neighbors who learn the password) gain access to the guest network, they won't be able to scan your main devices.

Frequently Asked Questions (FAQ)

Can my neighbor see the contents of my hard drive via Wi-Fi?

If you don't have a guest network configured and use a shared password, theoretically yes. If your computer has shared folders (SMB, FTP) without a password or with a weak password, anyone on the network can try to access them. However, modern operating systems (Windows 10/11, macOS) automatically detect the network as "Public" when connecting to a new network and prevent device discovery, which blocks direct access to files.

Can a hacker steal my bank passwords if I'm on my Wi-Fi?

If an intruder has simply connected to your Wi-Fi, they're on the same local network. Without sophisticated traffic encryption methods (HTTPS), which are now the default on all banking and retail websites, interception is difficult. However, the risk of an ARP spoofing attack (DNS spoofing) exists, so it's best to change your password immediately if you detect an intruder.

Why is the device listed as "Unknown Device"?

This happens when the network card manufacturer isn't listed in your router or scanner's ID database, or the device is deliberately hiding its name. This often happens with budget Chinese smart home gadgets, older printers, or devices with custom firmware. Use the MAC address as a guide.

How often should I change my Wi-Fi password?

It's recommended to change your password every 3-6 months, or immediately if you've shared it with guests or repairmen, or if you suspect a leak. Regularly changing your access key minimizes the risk of an old password saved on a sold or lost device being used against you.