Wifi diagnostics software

Mark Sealey wrote:

arp -a only showed Ethernet devices. I couldn't immediately see a way of including wifi.

That is correct. ARP is used to display the Internet-to-Ethernet addresses. Please understand that this command is providing the contents of the ARP table on your device ... not the one on the router. You will need to access the one on the router via its administrator interface. This is where having a prosumer/business-grade router shines.

Because 'rogue' devices on my home wifi network is what I need to identify.

Beware of false positives here. That 'rogue" device may just be (as an example) an Apple iPhone that has "Private IP Address" enabled (now the default). This will show up with a random MAC address in those tables or in a third-party network scanner app. Any device that allows for MAC address 'spoofing" can cause this.

Is there a 'bespoke' tool from among those you kindly mention which will reveal the manufacturer of every wifi device

In practice? No. Again, you are aware that a portion of the MAC Address identifies the network device's manufacturer. Spoofed address will not have a manufacturer association. However, one tool you may want to try is LanScan which you can get from the Apple App Store.

A simple networking trick is to block any unknown devices, until you "hear someone cry out that they lost network access." Whether or not your router support this will depend. The AirPort Extreme has such a feature, called Timed Access Control. To test this out, you only include known MAC Addresses and allow them 24x7 wireless access. All others not identified will not be able to connect. It shouldn't take long to figure out what that device is.

The following article (a bit outdated) should prove helpful on how to set up Timed Access Control.

• How to set up Timed Access Control on your Apple AirPort router - iMore

Before getting into any third-party tools, I suggest you exhaust what already available to you with macOS.

To start with there is the Address Resolution Protocol (ARP). This protocol is used by routers and "smart" Ethernet switches to store a list of network devices that are connected to them. They are stored in a table, aptly named the ARP Table. The protocol works at the Data Link layer of the networking model and where MAC addresses reside.

Every device will provide both its MAC, and associated, IP address to this table. If you use the following command in the Terminal app: arp -a, you can view the contents of this table. To get a list of all of the associated arp commands, enter the following: man arp

You already know that a portion of the MAC address is assigned to specific networking hardware manufacturers. However, you will find that you will come across some unidentified ones that you can explore further.

Another command is netstat. This one works at the Network Layer. This can provide you information on what devices are communicating with. An example command would be: sudo netstat -an -p 4

When it comes to other methods, they include:

• A prosumer/business grade router that provide more networking tools for this purpose. As such, you may want to consider replacing your AT&T-provided router with one from another manufacturer.
• Third-party tools. It really comes down to how much detail you want to know about these devices. You do start entering into the "spying" level with some of these and you should not use these nilly-willy without fully educating yourself with both how to use them & what you are actually looking at. These tools include network "mappers" or port scanners, like NMAP, and full network traffic packet sniffers, like Wireshark.

Ref:

• How to Use the Netstat Command - Lifewire
• Understanding routing tables - TechRepublic

Being curious, I tried a few "free" network scanner apps. I tried NetSpot, as you have mentioned it, and find that it will not really do what you are looking for ... at least, not the free version.

One app that was interesting and may fit the bill is call Angry IP Scanner. Very simple, but does allow you to control the scan process parameters. It also had MAC vendor translations.

I’d change SSID and password. That disconnects all Wi-Fi devices, except for those that you explicitly re-add.

That probably won’t cure the problem, though. (I doubt it’s an unauthorized local Wi-Fi device. But weirder things have happened.)

Other issues can be local radio interference, and that’s harder to track, absent ongoing monitoring of noise and RSSI, and absent tools to scan the environment.

One Mac tool I use is WiFi Explorer app. That provides some very handy plots of what is happening with the local Wi-Fi channels.

Had one TWC/RR network that had a sketchy IP router about three hops into the TWC/RR network. Packet processing times on that particular router were most of a second, at times. Whole chain of low-two-digit traceroute millisecond times upstream, except for that router. Three and four digit millisecond hop times are Not Auspicious. That router made for an interesting network discussion with RR tech support. That TWC/RR network setup played havoc with the local network. How that router wasn’t lighting up a console somewhere?

If not some local TWC/RR legacy setup, AT&T has a really bizarre network in many areas; AT&T U-verse. Strangest local network setup I’ve met.

There are ginormous lists of MAC vendors available.

The vendor lists can be semi-useful, though the arp dump or a ping scan can show a vendor ID for some Ethernet or Wi-Fi chipset used within the connected box, and not an ID for the box vendor.

Here’s the list that Wireshark uses: https://gitlab.com/wireshark/wireshark/-/raw/master/manuf

WiFi Explorer includes a MAC vendor list.

Mark Sealey wrote:

I need some really aggressive/penetrative tool which can winkle them out :-)

Again, these are unregistered (vendor) addresses. To be more aggressive in figuring out what devices are using them, you are going to have to use networking "forensic" tools, like NMAP & Wireshark, as I mentioned earlier. The former is a port scanning tool; whereas the latter is a data packet analyzer. Both will require a learning curve to master. You will find collecting data about 1% of the effort. Analyzing it will take the other 99%.

I believe AT&T is just putting the onus on you to figure this out ... assuming that this is the real culprit here and not something a lot more common, like Wi-Fi interference ... or a faulty router.

What modem manufacturer and device name are they providing for you ?

What you might try is to login to the gateway/router that ATT provided. This can be done pretty easy, by typing the following in the Safari browser

192.168.100.1

If this doesn’t connect to router, then try downloading manual from vendor who makes device. In manual you will find the method for logging into router locally from a machine in your house. The password for said device is typically in router manual or on the bottom of router.

Once you get into the router, goto the status section and make sure everything is “operational”. I would also recommend a watchful eye on the logs for router.

The logs typically will show if there are “loss of sync” errors. These are reported when the router on your site losses sync with the equipment from ISP providing internetwork access.

I suspect this is what you’re going to see. If logs do report sync losses during the times you have issues.

If this is the case, it’s not your issue.

Call your ISP provider;ATT and let them know you’re seeing these errors on your end. Once they know you see these Loss of Sync errors, they will do something about it.

Just make your ONLY reading data, not changing any parameters.

Mark Sealey wrote:

Which part of the six-duet, 12-character MAC address can be relied upon to 'reveal' the manufacturer, please?

The first three hex pairs ...

Entering '7e:ec:d0:89:ff:05' into this site's database still reveals 'not found', 'unknown'. I have no reason to believe that any device in our living room (etc!) is spoofing its MAC address.

Yep. I got the same results. This would be an example of a spoofed address. It would be rare to be from a reliable manufacturer. Here's where you can try the Timed Access Control.

That is what I need a macOS (or iOS) tool to help me with…

Looks like we crossed paths as I provided one for your Mac. One for your iPhone/iPad would be IP Scanner that you can find at the Apple App Store.

One option before switching providers is to ask AT&T if they can provide you with a simple modem, instead of the gateway device that they gave you ... especially, if they keep giving you the same model. You then have the option to get a dedicated wireless router to work with that modem. Just a thought.

If AT&T will not provide a modem, ask them for what modems are compatible with their service, and then, you can purchase your own (& save on not paying AT&T to rent their gateway.)

If; however, you do explore service with Spectrum, now would be a good time to ask them the same question. Although it appears that a "all-in-one" gateway is the typical ISP offering, you will have much more control of your home's network, if you can choose your own equipment. Actually, if the ISP refuses to support you if you do, is a good reason not to go with them.

Yes, MrHoffman's suggestion to change your wireless SSID & password, is one of the best (& simplest) methods to thwart unwanted wireless "poachers." Definitely give that a try.

The more I read this thread, the more I'm convinced that your wireless networking woes is not due to "unknown" devices ... regardless of what AT&T is telling you. Having your gateway replaced 6x tells me that their service to your residence is spotty, at best. If they are not willing to send out a technician to fully test out your DSL line from their outside distribution box, all the way to the gateway, is another good reason to look for another provider.

FWIW, I live in a very remote location in the NW Rockies. I basically only have DSL or microwave service options with max downloads of around 40 Mbps. Stellar for this area. I only bring this up as my "lower echelon" provider (not one of the big guys) provides me with extremely reliable service, even with frequent "dirty power" outages ... so it is possible for you to have reliable service, and you should demand it. If it isn't AT&T, then switch ... however, let AT&T know that you are dissatisfied. You might find that they will offer you better service options at a substantially lower cost to persuade you not to leave. Like getting you set up with Fiber. Worth a try.

On your iPhone or iPad

Tap Settings

Tap Wi-Fi

Tap on the blue "i" next to the name of the wireless network

Turn Off Private Wi-Fi Address

The Wi-Fi Address that you see is really the MAC Address

To verify, Tap Settings on the Home Screen

Tap General

Tap About

Scroll down to see the Wi-Fi Address (MAC Address) of the iPhone / iPad