You open your router's device list, or a scanner app, and there it is: an entry you can't place. An IP address, maybe a cryptic name, and no idea whether it's your smart plug or your neighbor's laptop. Before you panic (or worse, ignore it), work through these steps. Most "intruders" turn out to be your own hardware.
1. Look up the MAC vendor first
Every network card carries a MAC address, and its first half identifies the manufacturer. A4:CF:12:… resolves to Espressif, which almost always means a smart-home gadget; Apple, Samsung or Amazon prefixes narrow things down fast. Your router shows the MAC next to each device, and any OUI lookup site translates it.
One catch has gotten bigger in recent years: phones and laptops now use randomized MAC addresses per Wi-Fi network by default. Those show up with a "locally administered" prefix and resolve to no vendor at all. An unknown MAC with no manufacturer is far more likely someone's iPhone with a private address than an attacker.
2. Check the hostname
A device that calls itself MacBook-Pro-von-Lisa or HS110 has identified itself already. Hostnames come from DHCP or mDNS and are visible in the router list or a scanner. No hostname? Not suspicious by itself: plenty of IoT devices simply don't announce one.
3. Let its services talk
This is where it usually clicks. Devices advertise what they are: a printer speaks IPP on port 631, a camera streams RTSP on 554, a NAS offers SMB on 445, a smart speaker announces itself via mDNS as _airplay or _googlecast. Checking open ports and mDNS/SSDP announcements identifies the majority of devices beyond doubt.
You can do this by hand with nmap if the terminal is your thing. Or let a scanner do all of the above in one pass: DeviceShelf combines MAC vendor, hostname, ports, mDNS/SSDP and a fingerprint database into a plain-language guess of what each device is. And it runs locally, without an account.
4. The process of elimination
Still unclear? Turn off the suspect candidates one by one: smart plugs, e-readers, the TV, the robot vacuum. Watch which entry goes offline. Tedious, but it settles the question. A monitoring scanner also shows the moment a device drops off, so you don't have to keep refreshing the router page.
5. If it really doesn't belong to you
Found a device that is genuinely not yours after all that? Then act in this order:
- Change the Wi-Fi password. That kicks every device off the network; only those with the new key come back. Use WPA2/WPA3 with a long passphrase.
- Check your router's guest network — a forgotten open guest Wi-Fi is the most common entry point.
- Disable WPS if it is still on; the PIN method is a known weak spot.
- Re-scan afterwards and compare: everything you recognize should be back, and the stranger should be gone.
Get told about the next one automatically
The uncomfortable truth about a manual check: it only covers today. The unknown device you find next month has been on the network since whenever. This is what continuous monitoring is for — DeviceShelf watches your network in the background and sends a notification the moment a new device joins, so the next unknown entry announces itself. There is a free 7-day trial, no account needed.