Almost Brilliant Ideas

Posted on Mar 7

Walking Into an Unknown Network: The First Thing I Check

#security #networking #infosec #cybersecurity

When I walk into a client network for the first time, I usually don’t know much about it.

Sometimes the client thinks they know what’s on the network. Sometimes they don’t. Either way, the first problem isn’t troubleshooting.

The first problem is situational awareness.

Before I can diagnose anything, I need to understand what’s actually there.

What devices exist on the network?
What IP addresses are active?
Is anything new?
Did something disappear since the last scan?

Without that context, you’re basically working blind.

The Reality of Most Network Scanners

Most mobile network scanners work the same way.

You run a scan and you get a list like this:

192.168.1.10  DESKTOP-9F2A
192.168.1.12  ESP-4D21
192.168.1.15  android-71bf
192.168.1.18  UNKNOWN

Technically that’s useful. It tells you which IPs respond.

But when you're standing in an office trying to figure out what changed after you just rebooted a device or unplugged something, it doesn’t really answer the question you care about.

The real question is:

What changed?

Did a new device appear?

Did a device disappear?

Did something that was offline come back?

That kind of information is much more useful when you're troubleshooting.

The Problem With Single Snapshots

Most scanners give you a snapshot of the network at that moment.

That’s useful, but in the field you usually need something slightly different.

A typical workflow looks more like this:

Walk into the environment and run a scan
Look at what devices are present
Make a change (restart something, unplug something, fix something)
Scan the network again

Now you want to see what changed between those two scans.

Maybe a device disappeared.

Maybe something came back online.

Maybe a new device showed up after a reboot.

For example, the first scan might look like this:

Router
Printer
Lucy's Workstation
Conference Tablet
Security Camera

Then after you restart a device or reconnect hardware, the second scan might look like this:

Router
Printer
Lucy's Workstation
Conference Tablet
Security Camera
Unknown Device

That difference is often the clue you need.

In many troubleshooting situations, the two scans are only minutes apart. The goal is simply to make changes visible so you don’t have to manually compare two long device lists.

Situational Awareness

In the field, situational awareness is everything.

If something strange is happening on a network, it’s often because something changed:

a new device appeared
a device dropped off the network
an IoT device reconnected
someone plugged in a random piece of hardware

Being able to quickly see those changes makes troubleshooting much easier.

Instead of guessing, you start with a clear map of the environment.

What I Actually Check First

When I connect to a network, the first thing I want is a quick scan of the subnet.

From that scan I’m looking for three things:

New devices
Missing devices
Devices that came back online

If I’ve just made a change to the network, those differences usually jump out immediately.

That gives me context for whatever problem I was called to solve.

Making Scan Results Readable

Another small but important thing is naming devices.

Hostnames on real networks are often useless:

DESKTOP-4F12
ESP-71B3
UNKNOWN

When you rename devices, the scan becomes much more readable:

Front Desk Printer
Lucy's Workstation
Security Camera
Conference Tablet

Now the scan becomes something closer to documentation.

The Tool I Ended Up Building

After doing this kind of work for years, I eventually built a small Android tool that focuses on situational awareness instead of just listing IP addresses.

One of the most useful features turned out to be very simple: highlighting what changed between scans.