Why does a network scan show IP and MAC addresses instead of device names?

A raw scan can only see what's exposed at the network level: an IP address (assigned by your router) and usually a MAC address (a hardware identifier). Neither is a human-readable name. To turn 192.168.1.57 into 'living room smart TV', software has to gather extra clues such as the MAC vendor prefix, advertised mDNS/Bonjour names, hostname, and open ports, then reason about what kind of device fits the pattern.

What signals identify a device on a network?

The most useful signals are the MAC address OUI (the vendor prefix that maps to a manufacturer), mDNS/Bonjour advertised names and service types, the hostname the device reports to the router, the set of open ports and service fingerprints, and DHCP hints sent when the device joined the network. Each one is weak on its own, but combined they paint a strong picture.

How is on-device identification more private than cloud-based scanners?

Cloud-based scanners typically send device fingerprints to their own servers to look up a match in a central database. That means a map of your home or office network leaves your device. PingKit classifies devices entirely on your iPhone or Mac, so your network map never gets uploaded for identification.

Why do some devices still show as 'unknown'?

Some devices use MAC address randomization, which hides the vendor prefix. Others use generic or rebranded network chips whose OUI maps to a component maker rather than the product. And some devices advertise nothing at all and keep every port closed. With few or no signals to work from, an honest classifier marks the device as unknown rather than guessing.

How does device identification help detect intruders?

Naming turns a list of cryptic addresses into a list you actually recognise. When every device has a sensible label, a new entry that doesn't fit, an unknown gadget, a device from a vendor you don't own, stands out immediately. PingKit's free Mac Agent uses this to watch the network 24/7 and alert you the moment a new or unknown device joins.

How On-Device ML Identifies Unknown Devices on Your Network

Published June 8, 2026 · 7 min read

Run a scan of your home network and you'll get a list that looks something like this: 192.168.1.1, 192.168.1.14, 192.168.1.57, 192.168.1.103. Maybe a few of them carry a MAC address too. But none of it answers the only question you actually care about: who or what is 192.168.1.57? Is it your TV, a neighbour's phone, or something that shouldn't be there at all?

Turning a raw address into a human name is harder than it sounds, and how an app does it has real consequences for your privacy. In this post the PingKit team walks through the signals a device leaks, how on-device machine learning stitches those weak clues into a confident guess, and why we do all of it without ever uploading a map of your network.

The Problem: Addresses Aren't Names

A network scan, like the one in PingKit's LAN Scanner, works at the plumbing level of your network. It can reliably discover two things about each device:

An IP address — a temporary number your router hands out, like a seat assignment that changes between sessions.
A MAC address — a hardware identifier baked into the network chip, like a serial number for the radio.

Neither tells you anything human. There is no field in the network protocol called "this is the kid's iPad." The device never announces, in plain language, what it is. So an honest scanner is left holding a list of cryptic numbers, and the work of identification has to happen on top of that.

The Signals a Device Leaks

The good news is that most devices are surprisingly chatty. Even without trying to identify themselves, they scatter clues across the network. None of these clues is conclusive on its own, but each one narrows the field.

1. The MAC Address OUI (Vendor Prefix)

The first half of a MAC address is the Organizationally Unique Identifier, or OUI — a block assigned to a specific manufacturer by the IEEE. So a MAC that starts with an Apple-registered prefix tells you the network chip was made by Apple, and one starting with a Roku prefix points to a Roku.

MAC: A4:83:E7:1C:09:5F
      ↑↑↑↑↑↑↑↑
      OUI (vendor) → Apple, Inc.

This is a strong starting point, but "made by Apple" could mean an iPhone, an iPad, a Mac, an Apple TV, or a HomePod. The OUI narrows the brand; it rarely pins down the product.

2. mDNS / Bonjour Names and Service Types

Many devices advertise themselves over multicast DNS (Bonjour). A printer might announce a _ipp._tcp service, a media device an _airplay._tcp or _googlecast._tcp service, and almost everything advertises a friendly name like "Kitchen HomePod" or "HP-OfficeJet-8702." PingKit's Bonjour Browser lets you see these advertisements directly. A service type is one of the richest clues available: a device advertising a casting protocol is almost certainly a streaming device or smart TV.

3. Hostname Patterns

When a device joins the network it usually tells the router a hostname. These often follow recognisable patterns — "Galaxy-S24," "DESKTOP-8F2K1," "espressif" (a common chip in DIY smart-home gadgets), or "amazon-a1b2c3." A hostname is easy to read but easy to fake, so it's treated as a hint, not proof.

4. Open Ports and Service Fingerprints

A quick look at which ports a device has open, the kind of check PingKit's Security Scan performs, says a lot about its role. A device exposing a printing port behaves like a printer; one exposing a web-management interface and an RTSP video stream behaves like an IP camera; a NAS exposes file-sharing services. The shape of the open ports is a behavioural fingerprint.

5. DHCP Hints

When a device requests an address, its DHCP request can carry a vendor class identifier and a particular ordering of requested options. These details vary subtly between operating systems and device families, giving yet another weak-but-useful signal about what kind of system is asking.

How On-Device ML Combines the Clues

Here's the crux: no single signal is reliable. An OUI can be generic. A hostname can be blank. A device might advertise nothing. But the signals tend to agree when you have several of them, and they tend to disagree in revealing ways when one is missing or spoofed. That's exactly the kind of messy, multi-clue problem machine learning is good at.

Instead of a rigid lookup table that says "this exact MAC equals this exact model," a learned classifier weighs all the signals together. An Apple OUI, plus an AirPlay service, plus a hostname containing "Apple-TV," plus an open AirPlay port, combine into a high-confidence "Apple TV." Take away the hostname and the other three still carry the verdict. Swap the service for a casting protocol and the model leans toward a different streaming box instead.

The output isn't just a label — it's a label with a confidence level and a category, such as "likely a smart TV," "probably an iPhone," or "a network printer." When the evidence is thin, the confidence drops, and the device is honestly presented as uncertain rather than dressed up with a false-precision name.

The key point: identification is probabilistic, not a database lookup. PingKit reasons from the clues your devices already broadcast, which is why it can make a sensible guess even for hardware it has never seen before.

The Privacy Contrast

This is where the design choice matters most. Many popular network scanners, Fing being the best-known example, identify devices by sending a fingerprint of each one to the company's servers, where it's matched against a large central database. That approach can be accurate, but it has a cost most people never think about: a map of your private network is leaving your device. The make and model of everything in your home, when devices come and go, the rhythms of your household, all of it can flow to a third party.

PingKit takes the opposite approach. The classification runs entirely on your iPhone or Mac. The signals are gathered locally, the model that interprets them runs locally, and the resulting names stay on your device. Your network map is never uploaded for identification. For a tool whose whole job is helping you secure your network, we think keeping that network's map private is the only defensible default. If you've ever worried that someone is stealing your WiFi, the last thing you want is your inventory of devices sitting in someone else's cloud.

Honest Limitations

On-device identification is powerful, but it isn't magic, and we'd rather be straight about where it falls short.

MAC randomization. Modern phones and laptops increasingly use randomized MAC addresses for privacy. That's good for you in general, but it hides the OUI vendor prefix, removing one of the strongest signals.
Generic or rebranded OUIs. Plenty of gadgets use a network chip from a component vendor, so the OUI maps to the chip maker rather than the product on the box. A no-name smart plug and a fancy one might share the same prefix.
Silent devices. Some devices advertise nothing over mDNS, report no hostname, and keep every port closed. With almost no signal to work from, the honest answer is "unknown."
The cloud-database edge case. A large server-side fingerprint database, updated constantly from millions of users, can sometimes name an obscure model that an on-device approach can only categorise generically. We accept that trade-off because the privacy gain is worth it — and a correct category ("a smart plug") is usually all you need.

When PingKit can't be confident, it says "unknown" rather than inventing a name. An unknown device you can investigate is far more useful than a confident wrong guess.

Why Naming Matters for Catching Intruders

All of this identification work serves one very practical goal: making the odd one out obvious. When your network list is a wall of hex addresses, an intruder blends right in. But when every device carries a sensible label, your TV, your laptop, the kids' tablets, the robot vacuum, anything that doesn't fit jumps out. A device from a vendor you've never bought from, or one that simply reads "unknown," is exactly the thing worth a second look.

Naming is what turns a scan into situational awareness. Our guide on how to detect unknown devices on WiFi walks through the manual version of this process; on-device ML automates the tedious part so you can focus on the one entry that doesn't belong.

Always-On Detection with the Free Mac Agent

Scanning by hand only catches what's connected at the moment you happen to look. The intruder who joins at 2am is long gone by morning. That's why PingKit's Mac Agent, free with Guardian, runs the same on-device identification continuously in the background.

The Agent keeps a baseline of the devices it has learned to recognise on your network. When a new or unknown device appears, day or night, it classifies it on the spot and sends you an alert with whatever it could work out: the likely vendor, the device category, and a clear flag if it can't identify the device at all. No network map gets uploaded to do it. You get 24/7 watchfulness with the same privacy guarantee as a manual scan: your network stays your business.

See What's Really on Your Network

PingKit identifies the devices on your network on-device, no cloud lookup, no uploaded network map. Pair it with the free Mac Agent for round-the-clock alerts when something new joins.

Download PingKit