A look under the hood at how KillerScan finds every device on your network, works out who made it, and figures out what it is.
Tech stack
KillerScan is a native Windows app. There is no Electron, no browser engine, no runtime to install, and no separate scanner program running behind the scenes. Everything listed below ships inside a single .exe that runs on its own:
| Component | Detail |
|---|---|
| UI | WPF on .NET Framework 4.8 (net48), x64, custom window chrome |
| Host discovery | ARP cache parse + SendARP P/Invoke (iphlpapi.dll), async parallel ICMP ping sweep |
| Port scan | Raw async TcpClient connect probes, throttled |
| Service discovery | mDNS and SSDP over raw UdpClient multicast sockets. The underlying network packets are built and read by hand. |
| Vendor data | Full IEEE manufacturer database (~57,000 entries across MA-L, MA-M, and MA-S) built into the app |
| Packaging | Single executable. Install it for your user account or run it portable. |
Install & data
KillerScan is a single .exe. Put it anywhere and run it as is, or use the built-in installer, which copies the app into your user folder, adds a Start Menu shortcut, and registers a normal Windows uninstall entry just for your account. It needs no admin rights, no .NET runtime, and nothing else installed. When you run it from outside its installed location, a PORTABLE badge and an Install KillerScan... button appear in the status bar.
The scan pipeline
A scan runs in two stages. First KillerScan finds every device that is switched on and connected. Then it takes a closer look at each of those devices at the same time. Doing it in that order means the slow, detailed work only happens for addresses that actually replied, which keeps the whole scan fast.
Phase 0: building the address list
You give KillerScan a range of addresses to check, written in the usual shorthand like 192.168.8.0/24. That "/24" simply means the block of 256 addresses on your local network. KillerScan turns it into the full list of addresses worth testing. It also reads three things from your active network connection: your own address, your router's address (the gateway), and the DNS server you are set to use. Those are passed to the classifier so the router can be labelled correctly later on.
Phase 1: discovery (who is out there?)
Three things happen at roughly the same time:
- Reading the ARP cache. Windows keeps a small table that matches recently seen addresses to the hardware ID (the MAC address) of each device. ARP is the protocol that builds that table. KillerScan reads it first to get an instant list of devices Windows has talked to lately.
- Ping sweep. KillerScan pings every address on the list at once, where a ping is just the "are you there?" message that the
pingcommand sends. It keeps around 200 going at a time and gives each one half a second to answer, so a typical home network finishes in a couple of seconds. - A second ARP read. Many devices ignore pings but still respond at the lower hardware level, including a lot of phones, tablets, and smart-home gadgets. The pings quietly prompt Windows to record those devices in its table, so reading it again right after the sweep catches devices the ping alone would have missed. A direct hardware request fills in anything still missing.
At the same time, KillerScan sends out two broadcast questions that many devices answer automatically. The first is mDNS (also called Bonjour), which Apple devices, printers, and Chromecasts use to announce themselves on a network. The second is SSDP (part of UPnP), used by smart TVs, media players, and similar gear. KillerScan listens a short, fixed time for each (about a second and a half) and matches every reply back to the device that sent it. Because the listening windows are short, this finishes about when the ping sweep does and the scan stays quick.
Phase 2: taking a closer look at each device
Every device found in Phase 1 is now examined at the same time, with a sensible limit so a large network does not try to open thousands of connections at once. For each device, KillerScan:
- Checks a short list of network ports to see which are open. A port is like a numbered door into a device, and each common service (web, file sharing, remote desktop, and so on) sits behind a known door number. Each check is given a fifth of a second.
- Tries to find the device's name. It first asks DNS for the name attached to the address, and if that comes back empty it falls back to the name the device announced over mDNS, then to its older Windows (NetBIOS) name.
- Gathers identifying clues from anything that answers: the title and server type of any web page it serves, the greeting text an SSH login returns, the name on its security certificate, its Windows name, and its SNMP description (a standard "what am I" line that network gear and printers report). It also notes the TTL, a small number attached to replies that hints at the device's operating system.
- Looks up who made the device from its hardware ID, and attaches the mDNS and SSDP details gathered back in Phase 1.
Only once all of that is collected does KillerScan decide what the device actually is, weighing every one of those clues together.
Ports probed
Rather than testing all 65,000 possible ports, KillerScan checks only the handful that genuinely tell you something about what a device is:
| Ports | What they suggest |
|---|---|
| 22, 23, 21 | SSH / Telnet / FTP: Linux hosts and network gear |
| 53 | DNS: resolvers, Pi-hole, routers |
| 80, 443, 8080, 8443 | HTTP / HTTPS admin pages and web interfaces |
| 139, 445 | NetBIOS / SMB: Windows PCs and NAS boxes |
| 3389, 2179 | RDP / Hyper-V: Windows workstations and hosts |
| 515, 631, 9100 | LPR / IPP / RAW: printers |
| 554 | RTSP: IP cameras |
| 1883, 8883 | MQTT: smart-home message brokers |
| 5357 | WSD: Web Services for Devices |
| 5000, 5001, 548 | Synology DSM / AFP: NAS boxes |
| 902, 8006 | VMware ESXi / Proxmox: hypervisors |
| 8123 | Home Assistant |
| 32400 | Plex media server |
| 161 | SNMP: managed switches, printers, network gear |
| 5353, 1900, 62078 | mDNS / SSDP / Apple device sync |
Vendor resolution
Every network device has a MAC address, a hardware ID built in by its maker. The first half of that ID is assigned to a specific manufacturer, so it is the strongest clue to who built the device. A plain lookup is not always enough on its own, so KillerScan works through a fixed set of rules and uses the first one that matches:
1. Brand overrides
Some makers register their address ranges with the IEEE (the body that hands them out) as "Private", or leave them unnamed, so an ordinary lookup returns nothing useful. KillerScan keeps a small table, maintained by hand, that maps those ranges to the real brand. Several Govee ranges are handled this way, for example, so the device shows the right name even when the official record will not.
2. Randomized MACs
Modern phones regularly invent a fake Wi-Fi address to protect your privacy (Apple calls this "Private Wi-Fi Address"; Android does much the same). These made-up addresses carry a marker showing they were not handed out by a real manufacturer. Rather than guess a brand from an address that only matches by coincidence, KillerScan simply labels the device (Randomized), which is the honest answer: the real maker is hidden.
3. Most-specific match first
The IEEE hands out address ranges in three sizes, and a small manufacturer can be given a slice of a larger range, sharing its opening digits with the bigger company that owns the parent range. To avoid crediting the wrong one, KillerScan always checks the smallest, most specific range first:
| Registry | Block size | Key length |
|---|---|---|
| MA-S | 36-bit | 9 hex digits |
| MA-M | 28-bit | 7 hex digits |
| MA-L | 24-bit | 6 hex digits |
A 9-digit match beats a 7-digit match, which beats a 6-digit match, so the smaller, more specific owner always wins over the larger company that holds the parent range.
Device classification
Working out what a device is uses a points system rather than a single rule. Every clue (its name, its maker, its open ports, the banners its services return, and the mDNS and SSDP details) adds points to the device types it fits, and the type with the highest score wins, as long as it clears a minimum. A few clues are so reliable that KillerScan acts on them straight away, before any scoring. The order is:
Gateway, DNS, and three honest labels
The device sitting at the gateway address is your router. Routers often pass along DNS traffic (port 53), which used to make them look like the DNS server even when they were not. KillerScan only calls the gateway Router/DNS when it really is the DNS server your computer is set to use. If DNS is handled by a separate machine, the gateway stays labelled Router and that machine is labelled DNS Server. That gives three honest labels instead of one wrong guess.
Weighted signals
The more specific a clue, the more points it is worth. Here is a rough guide:
| Strength | Example signals |
|---|---|
| 14-15 (near certain) | SSH banner says RouterOS; HTTP title says UniFi; SNMP says LaserJet; mDNS _googlecast (Smart TV) or _ipp (printer); port 8006 (Proxmox) |
| 8-12 (strong combo) | vendor is Synology + a NAS port; vendor is Hikvision (camera); SSDP SERVER says Roku or Plex; port 32400 (Plex) |
| 4-7 (supporting) | a printer port open; TTL in the Windows range with SMB; port 554 (camera); generic DNS + HTTP together |
| 1-3 (tie breaker) | a single web port open, suggesting "probably a web device" |
Some clues deliberately ignore the maker. Port 62078 (used to sync iPhones) counts toward iPhone no matter what the address says, so an iPhone hiding behind a randomized address is still spotted. Networking gear that gives no sign of being a specific router or switch is labelled Switch/AP.
When nothing scores
A device that is idle or locked down may answer at the hardware level and nothing else. Rather than give up, KillerScan makes its best honest guess, working down this list:
That rule about PC makers exists for a real situation: a small business desktop in modern standby still answers at the hardware level but refuses every incoming connection. Without the rule, the catch-all would label your Dell a smart-home gadget.
Privacy & footprint
Everything happens on your own machine. There is no account, no background agent, no cloud lookup, and no usage tracking. The vendor database is built into the app, so even manufacturer names are looked up offline. Nothing about your network ever leaves your computer.
The one thing you may notice the first time you scan is a Windows Firewall prompt. That is the mDNS and SSDP discovery asking to listen for replies, which it has to do in order to hear Chromecasts, printers, and similar devices. Allow it on private networks and you will not be asked again. Deny it and those two discovery methods simply find nothing, while the rest of the scan carries on as normal.
Vendor database
The full IEEE manufacturer list, roughly 57,000 entries across all three registries (MA-L, MA-M, and MA-S), ships inside the .exe, so manufacturer names appear instantly and without any internet connection.
You can update it to the latest data from inside the app. The About screen shows how many entries you have and when they were last refreshed, with a one-click update that downloads the newest list. The update is built so it can never leave you worse off: if a download is blocked or incomplete, a safety check refuses to replace your list with a smaller one, so an update can never wipe out or shrink what you already have.