Show Active Connections to "Internet Sharing"

network internet logs internet-sharing

How can I view a list of devices that are connected to my Apple laptop via Internet Sharing (when it's enabled)? If a list doesn't exist, does Internet Sharing log DHCP requests and if so, where? Thanks.


Solution 1:

You can try arp on the command-line:

NAME

arp -- address resolution display and control

DESCRIPTION

The arp utility displays and modifies the Internet-to-Ethernet address translation tables used by the address resolution protocol (arp(4)). With no flags, the program displays the current ARP entry for hostname. The host may be specified by name or by number, using Internet dot notation.

E.g. for internet-sharing from Ethernet to Airport I use:

arp -i en1 -a

This will list all clients connected via WLAN.

Solution 2:

InternetSharing does log which address gets a DHCP lease within:

/var/log/system.log

Technically it is the bootpd daemon which does take care of this part of the network access.

You can track who is getting access to your network now with this command:

tail -f /var/log/system.log | grep 'bootpd.*\[en.\]'

and for Mavericks, Yosemite & El Capitan:

tail -f /var/log/system.log | grep 'bootpd.*\[bridge.\]'

You can display who connected and when to your network with this command:

grep 'bootpd.*\[en.\]' /var/log/system.log

and for Mavericks, Yosemite & El Capitan:

grep 'bootpd.*\[bridge.\]' /var/log/system.log

If you need to track it further in the past, the command is:

bzgrep 'bootpd.*\[en.\]' `ls -tr /var/log/system.log.*.bz2`

and for Mavericks, Yosemite & El Capitan:

bzgrep 'bootpd.*\[bridge.\]' `ls -tr /var/log/system.log.*.bz2`

Finally if you'd like to immediately distinguish in these logfiles known devices from uninvited ones, the method is to fill the configuration file of bootpd which is:

/etc/bootptab

with all known MAC addresses.

Solution 3:

In Big Sur (and probably for a few versions prior), there no longer appears to be any log entry written to /var/log/system.log by default, at least for lease renewals.

The arp method in this answer is still useful, but is a round-about way to get there given that it includes all hosts that have been contacted recently. That can result in showing either additional hosts (ie. those not associated with an Internet Sharing lease), or not all hosts (if they haven't been sent a packet recently), depending on recent activity.

A more direct method is to check the leases database at /var/db/dhcpd_leases. That will show all current leases, however that includes hosts that still have a current lease but are not currently connected. To also check for an active connection, you can pass the ip address associated with the lease to something like ping or nmap.

As described in this answer, a one-line using nmap could be:

grep ip_address /private/var/db/dhcpd_leases | cut -d= -f2 | nmap -iL - -sn

If you don't want to use nmap, you can do something similar with ping:

grep ip_address /private/var/db/dhcpd_leases | cut -d= -f2 | xargs -L1 ping -c 1

That will send one ping to every ip address for which there is a DHCP lease.

Related

Syncing non-Amazon purchased eBooks between Kindle, iPad, and iPhone
How can I use an existing Time Machine backup with my new computer?
How do I disable this message: "the disk was not ejected properly"?
MacBook Pro black screens and shuts off after a few minutes' use
How to make a Mac OS X .app with a shell script?
How to sync an additional folder to iCloud Drive similar to how macOS Sierra does it?
MacBook Pro 15" Retina mid 2014 random shutdowns [duplicate]
Can anyone recommend a programmers' editor?
How to use WiFi and Ethernet at the same time
What is the new turbo boost in the MacBook line?
Can I get windows 7 like window resizing on Mac OS X? [duplicate]
How to know if Mac OS X machine is being remotely viewed?