It's often frustrating when your internet speed suddenly drops and pages load slowly. This behavior can be caused not only by bandwidth congestion from your ISP, but also by uninvited guests on your local network. If neighbors or friends are secretly using your password, it not only reduces performance but also creates real security threats.
Checking connected clients is a basic procedure that should be performed regularly. Modern routers offer ample tools for detailed traffic analysis and a list of active devices. In this article, we'll discuss proven monitoring methods that will help you identify intruders and regain full control of your home network.
The first sign of a malicious connection is often unstable wireless performance. High-definition video starts buffering, and online games suffer from high ping. If you're confident your ISP's equipment is working properly, it's time to check your router settings.
Symptoms of unauthorized network access
Before moving on to technical diagnostic tools, it is worth paying attention to indirect signs. Indicators on the router body These can indicate high activity: if the WLAN or LAN light is flashing wildly when all your devices are off or in sleep mode, this is a warning sign. Also, be wary if your file download speed doesn't match your data plan, even at night, when internet usage is typically lower.
Another indicator may be the inability to connect to a printer or network storage. When an IP address conflict occurs on the network or a third-party device occupies a reserved slot, your devices may lose connection with peripherals. In some cases, attackers may even attempt to access shared folders if client isolation isn't configured on the router.
β οΈ Attention: Don't ignore a sudden drop in speed if you're not using torrents or heavy cloud backups. This may indicate not just "neighborly traffic," but that your device has been targeted by a botnet and is sending spam.
For a basic assessment of the situation, you can use the operating system's built-in utilities, but they only provide a superficial overview. A more in-depth analysis requires accessing the router's administrative panel or using specialized software. Understanding these symptoms will help you react promptly and prevent a data leak.
Checking via the router's web interface
The most reliable and accurate way to find out who's using your Wi-Fi is to log into your router's control panel. This method works for any model, whether TP-Link, Asus, D-Link or KeeneticYou need to open your browser and enter the gateway IP address, which usually looks like this: 192.168.0.1 or 192.168.1.1The exact address is often indicated on a sticker on the bottom of the device.
After entering your username and password (by default, this is often admin/admin unless you've changed them), find the section related to the wireless network or client status. It may be called "Wireless Status," "Client List," "DHCP Server," or "Client List." This is where you'll see a table of all the devices that have currently received an IP address from your router.
In this list, you'll see MAC addresses and sometimes device names. If you see an unfamiliar name, such as iPhone-Unknown or Android-123, when you don't have such gadgets, it's a cause for concern. Some modern interfaces, for example, MikroTik or in firmware OpenWrt, allow you to see not only the fact of connection, but also the volume of data transferred by a specific client in real time.
Analyzing the list of connected devices
Once you receive a list of clients, it's important to interpret the data correctly. Users are often alarmed by unfamiliar names that actually belong to smart plugs, TVs, or game consoles. To avoid false alarms, make a list of all your devices and compare their MAC addresses with those displayed in the router interface. A MAC address is a unique identifier for a network card, represented by a set of six pairs of hexadecimal numbers.
| Device type | Approximate name in the list | Traffic nature | Status |
|---|---|---|---|
| Smartphone | iPhone, Samsung, Android | Uneven, splashes | Legitimate |
| Laptop | DESKTOP-PC, MacBook | High when loading | Legitimate |
| IoT (Lamp) | SmartLight, Tuya | Minimal, rare | Legitimate |
| Unknown | Unknown, Generic | Constantly high | Suspicious |
Pay attention to the "Lease Time" column in the DHCP list. If a device has been connected for several days, even though you know the guests left yesterday, this is a clear sign of an unauthorized connection. It's also worth checking which ports are open for active clients. Some advanced routers allow you to see open ports for each IP address, which can help identify devices attempting to run servers or torrent clients.
What to do if the MAC address is hidden?
Some modern smartphones (iOS 14+, Android 10+) use MAC address randomization to protect privacy. They may appear as a random string of characters in the router's list. To identify such a device, temporarily disable the "Private Wi-Fi Address" feature in your phone's settings or check the first three pairs of characters of the MAC address (OUI), which indicate the chip manufacturer.
If you discover a device that's definitely not yours, don't panic. First, try disabling Wi-Fi on all your devices and see if the suspicious line disappears from the list. If it remains, unauthorized access has been confirmed. In this case, you should immediately change the password and encryption type.
Using mobile apps for monitoring
For those who find it inconvenient to access the web interface through a browser every time, there are specialized applications. The leader in this niche is considered to be Fing, available for Android and iOS, scans the network and provides detailed information about each device: model, manufacturer, operating system, and even its approximate location on a map (based on the MAC address).
Other useful utilities such as Network Analyzer or WiFi Analyzer, also allow you to view a list of clients, although their primary functionality is often focused on radio frequency spectrum analysis. The advantage of mobile apps is that they work directly from your phone, while connected to the same network, and display data in a convenient graphical format. You can receive a notification when a new device connects to the network.
It's important to understand that mobile apps see the network the same way your phone does. If your router hides certain devices or uses complex isolation settings, the app may not show the full picture. However, for a quick check of "who's online," this is quite sufficient. Furthermore, many router manufacturers, such as Asus or Tenda, have their own official applications that provide full control over security settings.
Command line and advanced methods
For users who prefer to work with the command line, there are powerful tools built into the operating system. In Windows, you can use the command arp -a, which displays a table of IP addresses and physical MAC addresses. This allows you to see all the devices with which your computer communicated during the current session.
C:\Users\User> arp -aInterface: 192.168.1.5 --- 0x3
Internet Address Physical Address Type
192.168.1.1 00-1a-2b-3c-4d-5e dynamic
192.168.1.15 aa-bb-cc-dd-ee-ff dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
On Linux and macOS based systems you can use the utility nmap. Team nmap -sn 192.168.1.0/24 will scan the entire subnet and return a list of all active hosts. This is a more aggressive and accurate method than standard ARP, as it can detect devices that don't respond to broadcast requests but do respond to pings.
Using these methods requires a basic understanding of network protocols. Entering a command incorrectly can result in scanning the wrong network or receiving incorrect data due to ARP table caching. Before analyzing, it is recommended to clear the cache with the command arp -d * (in Windows) or simply restart the network adapter.
β οΈ Attention: Port scanning and active network probing (such as nmap) may be detected as an attack by antivirus software or firewalls on other devices. Use these tools only on your home network.
Protective measures and blocking of violators
Once you've identified the intruder, you need to immediately block their access. The easiest way is to change your Wi-Fi password. Changing the password will disable all devices, and you'll have to re-enter the security key on your devices. Make sure you're using a strong encryption standard. WPA2-PSK or WPA3, abandoning the outdated and insecure WEP.
A more radical method is MAC address filtering. You can enable the "Allow List" in your router settings, adding only the addresses of your devices. Then no other device, even with the password, will be able to connect. However, this method is labor-intensive: every time you buy a new phone or have guests over, you'll have to manually change the router settings.
βοΈ Action plan if a hack is detected
It is also recommended to disable the function WPS (Wi-Fi Protected Setup). This technology, which allows you to connect by pressing a button or entering a PIN, has known vulnerabilities that allow attackers to brute-force the password in a matter of hours. Disabling WPS will significantly increase your network's resistance to hacking.
Security Prevention and Updates
Network security isn't a one-time action, but an ongoing process. Regularly check the list of connected clients, especially if you live in a densely populated apartment building. Avoid using simple passwords like "12345678" or "password," as these can be guessed by automated scripts in seconds.
It's important to keep your router's firmware up to date. Manufacturers frequently release patches that close security holes that could allow hackers to gain access to network management. Many modern models, such as Keenetic or routers with support Asus Merlin, can update automatically, but this function must be activated manually.
Remember that your router is the gateway to your entire digital home. All your correspondence, banking passwords, and personal photos pass through it. Neglecting basic security measures can cost you more than a few minutes spent setting up security.
Is it possible to see what websites are being visited through my Wi-Fi?
Using standard router tools, you can't see a full list of visited URLs (for example, specific pages on VKontakte or videos on YouTube) if the connection is secured with HTTPS. You'll only see the domain name (e.g., youtube.com), not the specific page. Deep traffic analysis (DPI) requires complex settings and specialized software, which is often beyond the capabilities of consumer routers.
Why does the device list show "Unknown"?
This occurs when the router cannot determine the device's manufacturer by its MAC address or when the device does not report its hostname upon connection. This often occurs with smart home devices, budget Chinese gadgets, or devices with MAC address randomization enabled.
Does my neighbor's cryptocurrency mining affect my router?
Yes, if your neighbor is mining via your Wi-Fi, they're constantly putting a high load on the router's channel and processor. This can lead to overheating, connection interruptions, and a significant drop in internet speed for all network users. In some cases, it can even shorten the lifespan of the router.
What should I do if I changed the password and the wrong device connected again?
This is possible if the attacker has software installed to automatically guess passwords or if they exploit a WPS vulnerability. Also, check if someone else's device is connected to your router via a LAN cable. In this case, the only solution is to completely reset the router to factory settings and set maximum security.