There are a ton of PEN testing tools, mostly on Linux. Run through the DHCP table at all the devices on your network, pull the MAC addresses. Everything that is a "computer" NIC and not a phone etc gets PEN tested. If that NIC shows up as something that should not be on the LAN network, say a switch, we can locate it to within 6-12 seats and deal with it. NIC MAC Addresses are allocated based on manufacturer and can be cross refrenced and isolated. One of the fun things is that if you see a PC running bittorrent traffic, you route that traffic to a bit bucket and wait for the 'victim' to come up and say his network is not working. Then we get to politely tell them to stop torrenting shit on our LAN. The amazing thing is that once people know they are being watched, the behavior gets better. This is also, as an aside, why indiscriminate surveillance is bad and why I am against it. I've been in the position of overseerer, and have to force myself to deal with the impact on my person. If I get a bit power trippy over a LAN, imagine what someone with life and death powers can do and feel.