If you need to determine whether a system on the network is an Apple system, there are a number of means you can use to help identify whether the system is, or is at least likely to be, manufactured by Apple. E.g., if the system is on the same local area network (LAN) as a system from which you can ping it, you can check the media access control (MAC) address associated with the IP address you just pinged using the Address Resolution Protocol (ARP), since the first 6 hexadecimal digits of the MAC address can be used to identify the manufacturer of the network interface controller (NIC) in the device pinged. This technique won't work if there is an intervening router between the device from which the ping is sent and the receiving device, though, since the arp address you will see when there are intervening network hops is the one of the first hop device. You can see the number of hops between the source and destination hosts using the traceroute command (tracert is the equivalent command on Microsoft Windows systems). E.g., in the example below, I issued a ping command from a Terminal window on my MacBook Pro laptop running OS X El Capitan (10.11.6). When I then peformed a reverse DNS lookup on the IP address using nslookup, the fully qualified domain name (FQDN) identified the device as an iPad. The FQDN usually won't identify the type of device so clearly, but a check of the MAC address may indicate the device was manufacturered by Apple. You can get the MAC address using the arp command.
$ ping -c 1 192.168.196.212 PING 192.168.196.212 (192.168.196.212): 56 data bytes 64 bytes from 192.168.196.212: icmp_seq=0 ttl=64 time=45.140 ms --- 192.168.196.212 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 45.140/45.140/45.140/0.000 ms $ nslookup 192.168.196.212 Server: 192.168.10.134 Address: 192.168.10.134#53 212.196.168.192.in-addr.arpa name = Margarets-iPad.abc.example.com $ arp Margarets-iPad.abc.example.com margarets-ipad.abc.example.com (192.168.196.212) at 78:7b:8a:55:bb:35 on en0 ifs cope [ethernet] $
There are a number of online sites where you can look up the MAC address to determine the manufacturer, not necessarily of the device itself, but of the NIC in the device, which provides the network functionality for the device. In this case, I can see at MAC Address and OUI Lookup that 78:7B:8A is associated with Apple, Inc.
Even if there one or more intervening network devices, such as routers or firewalls, were present in the network path between the source and destination hosts, the time to live (TTL) value shown by the ping command will provide a clue as to the possibilities for the operating system on the remote device. E.g., when I pinged the device, I saw the response below:
64 bytes from 192.168.196.212: icmp_seq=0 ttl=64 time=45.140 ms
The TTL is 64, which may indicate a Linux, OS X, MacTCP, or iOS device, but indicates that the device is probably not a Microsoft Windows system. You can see a list of TTL values used by various operating systems at Default TTL (Time To Live) Values of Different OS. If there are intervening routers, the TTL value you will see in the ping response will be decremented by the number of routers in the path. E.g., when I moved the source system to another building and pinged the same IP address, I saw a TTL value of 63. A traceoute command issued against the IP address showed a router at 192.168.156.1 in between the laptop and the iPad then.
$ ping -c 1 192.168.196.212 PING 192.168.196.212 (192.168.196.212): 56 data bytes 64 bytes from 192.168.196.212: icmp_seq=0 ttl=63 time=77.859 ms --- 192.168.196.212 ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 77.859/77.859/77.859/0.000 ms $ traceroute 192.168.196.212 traceroute to 192.168.196.212 (192.168.196.212), 64 hops max, 52 byte packets 1 wcne-192.168-156-1.example.com (192.168.156.1) 122.941 ms 2.646 ms 2.360 ms 2 margarets-ipad (192.168.196.212) 171.289 ms 7.662 ms 7.764 ms $
Another indication that a system is an Apple system is if you see
multicast
DNS (mDNS) traffic orginating from the system to the
IP multicast
address 224.0.0.51
and a source and destination
UDP port of 5353, which is the
registered port for mDNS traffic, that is attempting to look up the
IP address for _sleep-proxy._udp.local
when you are observing
network traffic with a packet sniffer tool such as
tcpdump
(WinDump is a
free and open-source software equivalent program for
Microsoft Windows systems) or Wireshark. Apple introduced its "Sleep Proxy Service," aka
Wake on Demand with
OS
X Snow Leopard (10.6). The service provides a mechanism to wake a
"sleeping"
system from another system over the network - see
Stuart Cheshire's December 2009 article on
Understanding Sleep Proxy
Service and the
Wikipedia
Bonjour Sleep Proxy article. You can
set a filter in
Wireshark to display mDNS packets by using a filter of
udp.port == 5353
.
Related articles: