Identifying Apple systems on the network

If you need to determine whether a system on the network is an Apple system, there are a number of means you can use to help identify whether the system is, or is at least likely to be, manufactured by Apple. E.g., if the system is on the same local area network (LAN) as a system from which you can ping it, you can check the media access control (MAC) address associated with the IP address you just pinged using the Address Resolution Protocol (ARP), since the first 6 hexadecimal digits of the MAC address can be used to identify the manufacturer of the network interface controller (NIC) in the device pinged. This technique won't work if there is an intervening router between the device from which the ping is sent and the receiving device, though, since the arp address you will see when there are intervening network hops is the one of the first hop device. You can see the number of hops between the source and destination hosts using the traceroute command (tracert is the equivalent command on Microsoft Windows systems). E.g., in the example below, I issued a ping command from a Terminal window on my MacBook Pro laptop running OS X El Capitan (10.11.6). When I then peformed a reverse DNS lookup on the IP address using nslookup, the fully qualified domain name (FQDN) identified the device as an iPad. The FQDN usually won't identify the type of device so clearly, but a check of the MAC address may indicate the device was manufacturered by Apple. You can get the MAC address using the arp command.

Network Analysis Using Wireshark
Network Analysis
Using Wireshark
1x1 px

$ ping -c 1 192.168.196.212
PING 192.168.196.212 (192.168.196.212): 56 data bytes
64 bytes from 192.168.196.212: icmp_seq=0 ttl=64 time=45.140 ms

--- 192.168.196.212 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 45.140/45.140/45.140/0.000 ms
$ nslookup 192.168.196.212
Server:		192.168.10.134
Address:	192.168.10.134#53

212.196.168.192.in-addr.arpa	name = Margarets-iPad.abc.example.com

$ arp Margarets-iPad.abc.example.com
margarets-ipad.abc.example.com (192.168.196.212) at 78:7b:8a:55:bb:35 on en0 ifs
cope [ethernet]
$

There are a number of online sites where you can look up the MAC address to determine the manufacturer, not necessarily of the device itself, but of the NIC in the device, which provides the network functionality for the device. In this case, I can see at MAC Address and OUI Lookup that 78:7B:8A is associated with Apple, Inc.

Even if there one or more intervening network devices, such as routers or firewalls, were present in the network path between the source and destination hosts, the time to live (TTL) value shown by the ping command will provide a clue as to the possibilities for the operating system on the remote device. E.g., when I pinged the device, I saw the response below:

64 bytes from 192.168.196.212: icmp_seq=0 ttl=64 time=45.140 ms

The TTL is 64, which may indicate a Linux, OS X, MacTCP, or iOS device, but indicates that the device is probably not a Microsoft Windows system. You can see a list of TTL values used by various operating systems at Default TTL (Time To Live) Values of Different OS. If there are intervening routers, the TTL value you will see in the ping response will be decremented by the number of routers in the path. E.g., when I moved the source system to another building and pinged the same IP address, I saw a TTL value of 63. A traceoute command issued against the IP address showed a router at 192.168.156.1 in between the laptop and the iPad then.

Wireshark - The Advanced Network Analysis Tool
Wireshark - The Advanced
Network Analysis Tool
1x1 px

$ ping -c 1 192.168.196.212
PING 192.168.196.212 (192.168.196.212): 56 data bytes
64 bytes from 192.168.196.212: icmp_seq=0 ttl=63 time=77.859 ms

--- 192.168.196.212 ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 77.859/77.859/77.859/0.000 ms
$ traceroute 192.168.196.212
traceroute to 192.168.196.212 (192.168.196.212), 64 hops max, 52 byte packets
 1  wcne-192.168-156-1.example.com (192.168.156.1)  122.941 ms  2.646 ms  2.360 ms
 2  margarets-ipad (192.168.196.212)  171.289 ms  7.662 ms  7.764 ms
$

Another indication that a system is an Apple system is if you see multicast DNS (mDNS) traffic orginating from the system to the IP multicast address 224.0.0.51 and a source and destination UDP port of 5353, which is the registered port for mDNS traffic, that is attempting to look up the IP address for _sleep-proxy._udp.local when you are observing network traffic with a packet sniffer tool such as tcpdump (WinDump is a free and open-source software equivalent program for Microsoft Windows systems) or Wireshark. Apple introduced its "Sleep Proxy Service," aka Wake on Demand with OS X Snow Leopard (10.6). The service provides a mechanism to wake a "sleeping" system from another system over the network - see Stuart Cheshire's December 2009 article on Understanding Sleep Proxy Service and the Wikipedia Bonjour Sleep Proxy article. You can set a filter in Wireshark to display mDNS packets by using a filter of udp.port == 5353.



Wireshark sleep proxy

Related articles:

  1. Installing Wireshark on Mac OS X El Capitan
  2. Installing Wireshark under CentOS
  3. Capturing and filtering data with Wireshark