In article , wrote: :The vagueness is not intentional, as for the 'Machine' it could be :an XP Pro workstation, W2K server, or Win 2003 server. There are 1000 :IP's in our subnet, 350 set to DHCP, the other 650 are used on :developer workstations, devices, and servers. I do not have access to :the routers, dns, and there is limited access to a dhcp server
Pass the buck. Write to your supervisor indicating that you cannot do a meaningful investigation without access to the log files, and ask your supervisor to arranged increased access or to re-assign the investigation to someone who has the appropriate access, or to cancel the investigation. Cc either your supervisor's supervisor or the person responsible for security.
You asked whether particular devices could give you information about IP usage. Some of them -might- be able to do so, but you have indicated that you don't have access to the information that they have on record, so the point of what they can or cannot tell you is moot.
Sorry, but considering your lack of access and the lack of details, it isn't clear what kind of answer you were hoping for.
If the question was essentially, "Is there a way [you] can get -your- desktop (i.e., one of the few things you have access to) to tell you exactly which other machine was using a particular IP address (possibly in a different subnet) during a particular timeframe?" then the answer is usually "Not without the network infrastructure having been configured in advance to have supplied the information to your desktop".
In fully switched networks, absent specific network infrastructure modifications, about the only information your desktop receives about what other machines are doing, is in the form of ARP queries that that machine issues, which your desktop will receive copies of if your desktop is in the same broadcast domain. ARP queries are *very* common in networking, and machines do not keep records of them unless they have been configured to do so. ARP queries do not pass router boundaries, and ARP queries do not pass VLAN boundaries. Also, anyone who was interested in deliberate intrusion can usually find ways to make ARP queries appear to be from a different IP address, or find ways to not use ARP queries at all.