How to Scan Local Network for Active Devices Using Python and TCP SYN

If you're managing a local network or exploring ethical network testing, it's helpful to know which devices are currently active. While traditional ARP-based scans work well, they can miss certain devices or fail in segmented networks. Instead, you can perform a TCP SYN scan on commonly used ports to identify active systems.

In this tutorial, we’ll create a Python script that sends TCP SYN packets using Scapy and identifies which devices respond — revealing their IP address, open port, and if possible, hostname.

⚙️ Prerequisites

Install the required libraries first:

pip install scapy netaddr

💻 Python Code: TCP SYN Scanner for LAN

from scapy.all import *
from concurrent.futures import ThreadPoolExecutor
import socket
from netaddr import IPNetwork

COMMON_PORTS = [22, 80, 135, 139, 443, 445, 3389, 554]

def syn_scan(ip, port):
    pkt = IP(dst=ip)/TCP(dport=port, flags="S")
    resp = sr1(pkt, timeout=1, verbose=0)
    if resp and resp.haslayer(TCP) and resp.getlayer(TCP).flags == 0x12:
        send(IP(dst=ip)/TCP(dport=port, flags="R"), verbose=0)  # RST to close
        return True
    return False

def scan_ip(ip):
    for port in COMMON_PORTS:
        if syn_scan(ip, port):
            try:
                hostname = socket.gethostbyaddr(ip)[0]
            except:
                hostname = "Unknown"
            return {"ip": ip, "port": port, "hostname": hostname}
    return None

def scan_subnet(subnet):
    ip_list = [str(ip) for ip in IPNetwork(subnet).iter_hosts()]
    results = []
    with ThreadPoolExecutor(max_workers=100) as executor:
        for res in executor.map(scan_ip, ip_list):
            if res:
                results.append(res)
    return results

if __name__ == "__main__":
    subnet = "172.16.20.0/24"
    print(f"Scanning subnet {subnet} with common ports...\n")
    devices = scan_subnet(subnet)
    print("Detected devices (accepted TCP SYN):\n")
    for d in devices:
        print(f"- IP: {d['ip']} | Port: {d['port']} | Hostname: {d['hostname']}")

📌 What This Script Does

• Iterates over all IPs in a subnet (e.g., 172.16.20.0/24)

• Sends TCP SYN packets to a list of common ports

• If the device replies with a SYN-ACK, it's considered alive and reachable

• Optionally resolves the hostname using reverse DNS

🔍 Why Use TCP SYN Instead of Ping?

• ICMP ping (ping) is often blocked by firewalls

• TCP SYN scans are less likely to be filtered and more accurate at detecting real application endpoints

• Allows identifying which services/ports are open on a live host

🧪 Sample Output

🚀 Potential Improvements

• Add OS fingerprinting using TTL or advanced techniques

• Save results to CSV or JSON

• Add support for MAC address detection via ARP

• Run scans asynchronously or in chunks for large subnets

⚠️ Disclaimer: For Educational Use Only

📌 Legal Notice:
The script and techniques demonstrated in this article are intended solely for educational purposes, ethical network testing, and system administration.
Do not use this script to scan any network or device without explicit authorization. Unauthorized scanning may violate cybersecurity laws and result in legal consequences.

✅ Always use such tools ethically and within the boundaries of the law.