any way to detect iPads or iPhones on wireless network? bonjour?

gnychis picture gnychis · Sep 24, 2011 · Viewed 11.8k times · Source

I am trying to detect Apple devices connected to a wireless network. This is relatively simple using Bonjour, however I am also trying to detect what kind of device it is. Like, a MacBook Air, a MacBook Pro, a MacPro, an iPhone, iPod, or an iPad.

I have found that Bonjour requests to MacBook's and MacPros include an "ADDITIONAL SECTION" response to the query which includes the model:

;; ADDITIONAL SECTION:
Q9550._device-info._tcp.local. 10 IN    TXT "model=MacPro3,1"

and

;; ADDITIONAL SECTION:
Air._device-info._tcp.local. 10 IN  TXT "model=MacBookAir4,2"

From testing an iPhone (3GS and 4), an iPod touch, and an iPad2, all of the iDevices only respond with their name:

;; ANSWER SECTION:
111.1.168.192.in-addr.arpa. 10  IN  PTR gmPad2.local.

Clearly, the name may not reflect the device. So, I would not like to try to extrapolate the type of device from the name. Does anyone know any other ways to detect iDevice types?


Edit: just to be clear, the command I am using is: dig @224.0.0.251 -p5353 -x 192.168.1.111 ... substituting the IP address of the Apple device

Answer

robocat picture robocat · Oct 4, 2011

Use port 62078

The most reliable indicator I have seen is whether you can connect to IP port 62078.

Port 62078 is used for the "iphone-sync" service, and I don't think MacBooks use it. This port always appears to be open for the iPhones and iPads on our (very small) network.

Possibly (but not probably) there are messages you can send to the port to sniff out more details...

I think the official xml list of port assignements is here, although it wasn't working for me just now: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml

MAC address

In theory the MAC addresses might help - but probably not much use unless you can find somewhere that maintains a reliable list of ranges (e.g. a network security firm, or hardware provider). MAC addresses do depend on the actual chips used (or a flashed MAC). The database is at the organisation level (although organisations sometimes choose to use specific ranges for specific devices).

http://standards.ieee.org/develop/regauth/oui/public.html allows you to download the database of "Organizationally Unique Identifiers", or you can look up "Apple", or the first three bytes of a MAC address e.g. 00264A.

Anecdotally, the MAC lookup doesn't work... First three digits of my iPad MAC are 28-68-BA and that comes up with nothing.

User agent

Probably not useful, but if you can watch the network traffic or have an http proxy, then the user-agent string could help (see http://developer.apple.com/library/IOS/documentation/AppleApplications/Reference/SafariWebContent/OptimizingforSafarioniPhone/OptimizingforSafarioniPhone.html#//apple_ref/doc/uid/TP40006517-SW3).

Edit (added):

Apple’s Bonjour protocol relies on Multicast DNS (mDNS) operating at UDP port 5353 and sends to these reserved group addresses: IPv4 Group Address - 224.0.0.251, IPv6 Group Address - FF02::FB - reference.

This would help get push notification when Apple devices connect to a local network (link-local) by listening for multicast messages on 5353 UDP. Perhaps sniff the packet and see if it has any extra information in it :)

Although I presume that Bonjour API also allows for seeing this...