Thu, May 17, 2018 11:15 pm

Identifying Apple systems on the network

If you need to determine whether a system on the network is an Apple system, there are a number of means you can use to help identify whether the system is, or is at least likely to be, manufactured by Apple. E.g., if the system is on the same local area network (LAN) as a system from which you can ping it, you can check the media access control (MAC) address associated with the IP address you just pinged using the Address Resolution Protocol (ARP), since the first 6 hexadecimal digits of the MAC address can be used to identify the manufacturer of the network interface controller (NIC) in the device pinged. This technique won't work if there is an intervening router between the device from which the ping is sent and the receiving device, though, since the arp address you will see when there are intervening network hops is the one of the first hop device. You can see the number of hops between the source and destination hosts using the traceroute command (tracert is the equivalent command on Microsoft Windows systems). E.g., in the example below, I issued a ping command from a Terminal window on my MacBook Pro laptop running OS X El Capitan (10.11.6). When I then peformed a reverse DNS lookup on the IP address using nslookup, the fully qualified domain name (FQDN) identified the device as an iPad. The FQDN usually won't identify the type of device so clearly, but a check of the MAC address may indicate the device was manufacturered by Apple. You can get the MAC address using the arp command.

$ ping -c 1
PING ( 56 data bytes
64 bytes from icmp_seq=0 ttl=64 time=45.140 ms

--- ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 45.140/45.140/45.140/0.000 ms
$ nslookup
Address:	name =

$ arp ( at 78:7b:8a:55:bb:35 on en0 ifscope [ethernet]

