32

How can I view a list of devices that are connected to my Apple laptop via Internet Sharing (when it's enabled)? If a list doesn't exist, does Internet Sharing log DHCP requests and if so, where? Thanks.

getWeberForStackExchange
  • 549
  • 3
  • 6
  • 13

4 Answers4

32

You can try arp on the command-line:

NAME

arp -- address resolution display and control

DESCRIPTION

The arp utility displays and modifies the Internet-to-Ethernet address translation tables used by the address resolution protocol (arp(4)). With no flags, the program displays the current ARP entry for hostname. The host may be specified by name or by number, using Internet dot notation.

E.g. for internet-sharing from Ethernet to Airport I use:

arp -i en1 -a

This will list all clients connected via WLAN.

Community
  • 1
iolsmit
  • 4,435
  • 2
  • 27
  • 56
  • 13
    Just a tip: if you're unsure which interface is being used, you can always type `ifconfig` to list all of them. My MBP is connected to the internet via wifi, and I'm sharing internet to a raspberry pi over an ethernet cable. I had to use `-i bridge0` to see the device's IP address. – smessing Jan 04 '13 at 22:51
  • 1
    `arp` command will give you a snapshot of a state which might be rapidly changing, most notably if you are looking to a Wi-Fi network where devices may intermittently connect because they are on the border of the wireless sphere of access. – dan Jul 18 '13 at 22:34
  • 3
    I think a useful place to start here might be a bare `arp -a`. You probably don't have that many interfaces that are translated! – Dav Clark Sep 26 '14 at 21:43
  • @smessing this is exactly what I'm doing - thanks! – awidgery Dec 10 '15 at 12:55
  • 4
    In my case it's `-i bridge100` – Raptor Jan 19 '18 at 08:22
  • For me it's `-i bridge100` – Max Coplan Sep 27 '19 at 21:12
  • First, `ifconfig` to list the interfaces, then `arp -i -a` :) – ΔO 'delta zero' Jun 30 '20 at 13:45
13

InternetSharing does log which address gets a DHCP lease within:

/var/log/system.log

Technically it is the bootpd daemon which does take care of this part of the network access.

You can track who is getting access to your network now with this command:

tail -f /var/log/system.log | grep 'bootpd.*\[en.\]'

and for Mavericks, Yosemite & El Capitan:

tail -f /var/log/system.log | grep 'bootpd.*\[bridge.\]'

You can display who connected and when to your network with this command:

grep 'bootpd.*\[en.\]' /var/log/system.log

and for Mavericks, Yosemite & El Capitan:

grep 'bootpd.*\[bridge.\]' /var/log/system.log

If you need to track it further in the past, the command is:

bzgrep 'bootpd.*\[en.\]' `ls -tr /var/log/system.log.*.bz2`

and for Mavericks, Yosemite & El Capitan:

bzgrep 'bootpd.*\[bridge.\]' `ls -tr /var/log/system.log.*.bz2`

Finally if you'd like to immediately distinguish in these logfiles known devices from uninvited ones, the method is to fill the configuration file of bootpd which is:

/etc/bootptab

with all known MAC addresses.

dan
  • 11,624
  • 8
  • 52
  • 128
  • 2
    As of (at least) Mavericks, bootpd logs connections to a bridge rather than to the physical network device, so you'll want to grep for 'boodpf.*\[bridge.*\]' in order to find connection attempts. arp will still list connections to e.g. '-i en1', as well as to e.g. '-i bridge100'. – Olfan Mar 28 '14 at 10:34
1

In Big Sur (and probably for a few versions prior), there no longer appears to be any log entry written to /var/log/system.log by default, at least for lease renewals.

The arp method in this answer is still useful, but is a round-about way to get there given that it includes all hosts that have been contacted recently. That can result in showing either additional hosts (ie. those not associated with an Internet Sharing lease), or not all hosts (if they haven't been sent a packet recently), depending on recent activity.

A more direct method is to check the leases database at /var/db/dhcpd_leases. That will show all current leases, however that includes hosts that still have a current lease but are not currently connected. To also check for an active connection, you can pass the ip address associated with the lease to something like ping or nmap.

As described in this answer, a one-line using nmap could be:

grep ip_address /private/var/db/dhcpd_leases | cut -d= -f2 | nmap -iL - -sn

If you don't want to use nmap, you can do something similar with ping:

grep ip_address /private/var/db/dhcpd_leases | cut -d= -f2 | xargs -L1 ping -c 1

That will send one ping to every ip address for which there is a DHCP lease.

Heath Raftery
  • 491
  • 1
  • 3
  • 9
0

use ndp for ipv6 and arp for ipv4 in the terminal

ndp -a

arp -a

see the manual pages for details and options, I'm new to these and was trying to figure out the same question which seems spread over several answers in parts, over a long span of time (ipv4 not inclusive of ipv6) note too you can ping the ipv4 broadcast address directly to see who responds, I don't yet know if a rough equivalent is possible with ipv6 using ping6 or even relevant. also see https://superuser.com/questions/969831/why-is-arp-replaced-by-ndp-in-ipv6 and possibly also https://serverfault.com/questions/648140/how-to-scan-ipv6-enabled-hosts-on-my-lan and https://superuser.com/questions/495026/ipv6-find-all-hosts-in-a-prefix

jimmont
  • 1,052
  • 1
  • 9
  • 17