WhoIsOutThere
Local Area Network discovery tool with a modern Terminal User Interface (TUI). Discover, explore, and understand your LAN in an intuitive way.
Install / Use
/learn @Logisek/WhoIsOutThereREADME
WhoIsOutThere
Local Area Network discovery tool with a modern Terminal User Interface (TUI). Discover, explore, and understand your LAN in an intuitive way.
WhoIsOutThere performs unprivileged, concurrent scans using mDNS, SSDP, and ARP discovery. It sweeps the local subnet to trigger ARP resolution, then reads the ARP cache to identify devices on your network. All discovered devices are enhanced with OUI lookups to display manufacturers when available.
Features
- Modern TUI — Navigate and explore discovered devices with Textual
- Fast & Concurrent — Leverages multiple discovery methods simultaneously
- No Elevated Privileges Required — Runs entirely in user-space
- Device Enrichment — MAC vendor lookup (built-in + online) and device type classification
- Daemon Mode with HTTP API — Run in the background and integrate with other tools
- Theming & Configuration — Personalize the look and behavior via YAML configuration
- Integrated Port Scanner — Async TCP port scanning with configurable concurrency
- Smart Classification — Automatically identifies device types (router, printer, phone, etc.)
- Local Host Exclusion — Automatically excludes the host machine from scan results.
Platform Support
- [x] Windows (primary, tested)
- [x] Linux (supported via
/proc/net/arp) - [ ] macOS (planned)
Requirements
- Python 3.10+
- PyYAML (for configuration)
- textual (for TUI)
- aiohttp (for daemon HTTP API)
- zeroconf (for mDNS scanning)
Installation
pip install -r requirements.txt
Or install with optional dependencies:
# Core only (scan command)
pip install PyYAML zeroconf
# With TUI support
pip install PyYAML zeroconf textual
# With daemon HTTP API
pip install PyYAML zeroconf aiohttp
# With clipboard support (for copying IPs)
pip install PyYAML zeroconf textual pyperclip
# All features
pip install PyYAML zeroconf textual aiohttp pyperclip
Usage
Interactive TUI
Run the TUI for interactive discovery (default command):
python -m whoisoutthere
# or explicitly:
python -m whoisoutthere tui
One-Time Scan
Run a single scan and print results to stdout:
python -m whoisoutthere scan
Auto-Select Mode (Recommended):
The simplest way to run a scan is with --auto, which automatically selects the best available scanners based on your system's capabilities:
# Automatically use the best scanners for your system
python -m whoisoutthere scan --auto
# Auto with port scanning
python -m whoisoutthere scan --auto --ports
# Auto with passive monitoring (if admin + libpcap available)
python -m whoisoutthere scan --auto --passive
When running with admin privileges and scapy/libpcap installed, --auto will use:
- ActiveArpScanner — Raw ARP requests for reliable discovery
- IcmpPingScanner — Raw ICMP for fast ping sweeps (10-100x faster)
- MdnsScanner — mDNS/Bonjour service discovery
- SsdpScanner — UPnP/SSDP discovery
Without admin privileges, it falls back to:
- ArpScanner — OS ARP cache reading
- PingScanner — System ping command
- MdnsScanner & SsdpScanner — Service discovery
Include port scanning on discovered devices:
python -m whoisoutthere scan --ports
# or short form:
python -m whoisoutthere scan -p
Use privileged scanners (requires admin + scapy/libpcap):
# Windows: Run as Administrator
# Linux: Run with sudo
python -m whoisoutthere scan --privileged
The --privileged flag enables advanced scanners for more reliable device discovery:
- ActiveArpScanner — Sends raw ARP requests instead of reading the ARP cache
- IcmpPingScanner — Sends raw ICMP echo requests (10-100x faster than system ping)
Enable passive ARP monitoring to discover devices stealthily (requires admin + scapy/libpcap):
# Windows: Run as Administrator
# Linux: Run with sudo
# Monitor ARP traffic for 30 seconds (default)
python -m whoisoutthere scan --passive
# Monitor for a custom duration
python -m whoisoutthere scan --passive --passive-time 60
# Combine with active scanning for comprehensive discovery
python -m whoisoutthere scan --privileged --passive --passive-time 45
The --passive flag enables PassiveArpMonitor which sniffs ARP traffic without sending any packets. This is useful for:
- Stealth discovery — Doesn't alert network intrusion detection systems
- Intermittent devices — Catches devices that communicate periodically
- Mobile devices — Detects phones/tablets as they wake up and communicate
Enable DHCP sniffing to catch devices as they join the network (requires admin + scapy/libpcap):
# Windows: Run as Administrator
# Linux: Run with sudo
# Monitor DHCP traffic for 60 seconds (default)
python -m whoisoutthere scan --dhcp
# Monitor for a custom duration
python -m whoisoutthere scan --dhcp --dhcp-time 120
# Combine with active and passive scanning for comprehensive discovery
python -m whoisoutthere scan --privileged --passive --dhcp
The --dhcp flag enables DhcpSniffer which monitors DHCP Discover/Request/ACK packets. This is especially useful for:
- New devices — Catches devices the moment they obtain an IP address
- Hostname extraction — Gets device hostname from DHCP options (Option 12)
- Device identification — Extracts vendor class identifier for better classification
- Dynamic networks — Ideal for networks with frequently joining/leaving devices
Enable TCP SYN (half-open) scanning for faster, stealthier port scans (requires admin + scapy/libpcap):
# Windows: Run as Administrator
# Linux: Run with sudo
# Use SYN scanning instead of TCP connect
python -m whoisoutthere scan --ports --syn
# Combine with privileged discovery for complete privileged scanning
python -m whoisoutthere scan --privileged --ports --syn
The --syn flag enables SynScanner which sends TCP SYN packets and analyzes responses without completing the three-way handshake. This provides:
- Faster scanning — No full TCP connection overhead
- Stealthier operation — Less likely to trigger application-level logging
- Better results on firewalled hosts — Works even when hosts drop after SYN+ACK
- Host detection — Discovers hosts even when all ports are closed (via RST responses)
Enable IPv6 Neighbor Discovery Protocol (NDP) scanning to find IPv6-only and dual-stack devices (requires admin + scapy/libpcap):
# Windows: Run as Administrator
# Linux: Run with sudo
# Scan for IPv6 devices on the local network
python -m whoisoutthere scan --ipv6
# Combine with other privileged scanners
python -m whoisoutthere scan --privileged --ipv6
# Full privileged scan including IPv6
python -m whoisoutthere scan --privileged --passive --ipv6 --ports --syn
The --ipv6 flag enables Ndp6Scanner which uses ICMPv6 Neighbor Discovery Protocol to find IPv6 hosts:
- Multicast ping — Sends ICMPv6 Echo Request to ff02::1 (all-nodes multicast)
- Router discovery — Sends Router Solicitation to ff02::2 to discover IPv6 routers
- Dual-stack devices — Finds devices that have IPv6 addresses even if they also have IPv4
- IPv6-only devices — Discovers devices that may not respond to IPv4 discovery methods
Enable LLDP/CDP sniffing to discover network infrastructure devices like switches and routers (requires admin + scapy/libpcap):
# Windows: Run as Administrator
# Linux: Run with sudo
# Monitor LLDP/CDP traffic for 60 seconds (default)
python -m whoisoutthere scan --lldp
# Monitor for a custom duration
python -m whoisoutthere scan --lldp --lldp-time 120
# Combine with other privileged scanners
python -m whoisoutthere scan --privileged --lldp
The --lldp flag enables LldpScanner which monitors Link Layer Discovery Protocol (LLDP) and Cisco Discovery Protocol (CDP) announcements. This is especially useful for:
- Network infrastructure — Discovers switches, routers, and managed network devices
- Port identification — Shows which switch port your device is connected to
- Device details — Extracts model, software version, and capabilities
- Management IPs — Gets management IP addresses for network devices
- VLAN info — Captures native VLAN and VTP domain (CDP)
Enable NetBIOS/LLMNR sniffing to passively capture Windows hostnames (requires admin + scapy/libpcap):
# Windows: Run as Administrator
# Linux: Run with sudo
# Monitor NetBIOS/LLMNR traffic for 60 seconds (default)
python -m whoisoutthere scan --nbns
# Monitor for a custom duration
python -m whoisoutthere scan --nbns --nbns-time 120
# Combine with other privileged scanners
python -m whoisoutthere scan --privileged --nbns
The --nbns flag enables NbnsLlmnrSniffer which passively captures NetBIOS Name Service (UDP port 137) and Link-Local Multicast Name Resolution (LLMNR, UDP port 5355) traffic. This is especially useful for:
- Windows hostnames — Captures Windows device hostnames without active queries
- Service discovery — Extracts NetBIOS service types (Workstation, File Server, Domain Controller, etc.)
- Name conflicts — Detects NetBIOS name registration and conflicts
- Modern Windows — LLMNR captures work with Windows Vista and later when DNS fails
- Passive operation — Works without sending any packets, completely stealthy
Comprehensive Privileged Scanning
For the most thorough network discovery, combine all privileged options:
# Windows: Run as Administrator
# Linux: Run with sudo
# Full privileged scan with all features (takes ~60s due to passive monitoring)
python -m whoisoutthere scan --privileged --passive --dhcp --ipv6 --lldp --nbns --ports --syn
# Faster privileged scan without passive monitoring (~10s)
python -m whoisoutthere scan --privileged --ports --syn
# Privileged discovery with standard TCP connect port scan
python -m whoisoutthere scan --privileged --ports
Note: The --privileged flag enables
