Here's a quick and dirty method for determining who is on your local subnet.
This is a simple, quick hack, but it's useful in many circumstances. Suppose you are associated with a wireless network and are curious about who else is also using the network. You could fire up a network sniffer such as Ethereal [Hack #31] or tcpdump [Hack #33], or manually scan for associated clients using nmap [Hack #50], although that might be construed as antisocial. You're not so much interested in what people are doing, just how many people are online.
It is simple to find clients on your local network using the ubiquitous ping utility. Simply ping the broadcast address of your network and see who responds.
You can find the broadcast address by running ifconfig like so:
$ ifconfig eth0 eth0 Link encap:Ethernet HWaddr 00:40:63:C0:AA:4B inet addr:10.15.6.1 Bcast:10.15.6.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:13425489 errors:0 dropped:33 overruns:0 frame:0 TX packets:19603221 errors:1118 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:3073225705 (2930.8 Mb) TX bytes:1301320438 (1241.0 Mb) Interrupt:10 Base address:0xe800
There it is: the Bcast address. This is the broadcast address for your local subnet, which every machine is listening to. In Mac OS X and BSD, it is simply listed as the broadcast address:
$ ifconfig en1 en1: flags=8863 mtu 1500 inet6 fe80::230:65ff:fe03:e78a%en1 prefixlen 64 scopeid 0x5 inet 10.15.6.49 netmask 0xffffff00 broadcast 10.15.6.255 ether 00:30:65:03:e7:8a media: autoselect status: active supported media: autoselect
Most (but not all) machines will respond to a ping sent to this address. But simply running ping won't always leave enough time for the clients to respond between echo requests. Run ping with a long wait time (say, 60 seconds) between requests, and be sure to send at least one ping:
$ ping -c3 -i60 10.15.6.255 PING 10.15.6.255 (10.15.6.255): 56 octets data 64 octets from 10.15.6.1: icmp_seq=0 ttl=255 time=0.3 ms 64 octets from 10.15.6.72: icmp_seq=0 ttl=64 time=0.4 ms (DUP!) 64 octets from 10.15.6.61: icmp_seq=0 ttl=64 time=0.7 ms (DUP!) 64 octets from 10.15.6.65: icmp_seq=0 ttl=64 time=0.9 ms (DUP!) 64 octets from 10.15.6.64: icmp_seq=0 ttl=64 time=1.7 ms (DUP!) 64 octets from 10.15.6.66: icmp_seq=0 ttl=64 time=2.0 ms (DUP!) 64 octets from 10.15.6.69: icmp_seq=0 ttl=64 time=10.9 ms (DUP!) 64 octets from 10.15.6.68: icmp_seq=0 ttl=64 time=38.0 ms (DUP!) ^C --- 10.15.6.255 ping statistics -- 1 packets transmitted, 1 packets received, +7 duplicates, 0% packet loss round-trip min/avg/max = 0.3/6.9/38.0 ms
After duplicates (those suffixed with DUP!) stop arriving, press Ctrl-C to kill the running process, or wait 60 seconds for another try. This gives you a quick, rough idea of how many machines are connected to the local subnet.
Note that not all machines answer to broadcast ping requests, and some block ICMP traffic, which is ping's protocol. Still, in terms of ease, speed, and ubiquity, you can't beat the results of the broadcast ping.
If you are curious about what kinds of wireless cards people are using, you might try looking up their serial numbers online [Hack #39].
Bluetooth, Mobile Phones, and GPS
Network Discovery and Monitoring
Wireless Network Design
Appendix A. Wireless Standards
Appendix B. Wireless Hardware Guide