IP use Tracking

Walter, The vagueness is not intentional, as for the 'Machine' it could be an XP Pro workstation, W2K server, or Win 2003 server. There are 1000 IP's in our subnet, 350 set to DHCP, the other 650 are used on developer workstations, devices, and servers. I do not have access to the routers, dns, and there is limited access to a dhcp server

In article , wrote: :I would like to know if it is possible to get a history from either a :machine, router, or dns server of the use of a specfice IP address? :Someone in our group used an IP for not so ethicial purposes and it :would be nice to find out which machine had bound that IP. Is this :possible?

The question is too general to answer easily. You don't give us any information about what kind of 'machine' might be involved, nor about what kind of router it is or what kind of logging you have turned on, and in your reference to 'dns server' we can't tell whether you are hinting about DHCP or whether you were hoping to be able to find out which sites a particular IP client had done DNS lookups of. You also don't mention anything about firewall logs, nor about possibilities such as netflow logs.

If you have Windows machines, look through the Event Logs. If you find a machine which doesn't have an Event Log for that time period while the others do, you've found the machine.

On Unix machines, look through the system logs.

If DHCP was used... well, -I- wouldn't set up DHCP without turning on logging of the IPs and MAC addresses, but I've heard of a number of places that don't log DHCP allocations :(

In article , wrote: :The vagueness is not intentional, as for the 'Machine' it could be :an XP Pro workstation, W2K server, or Win 2003 server. There are 1000 :IP's in our subnet, 350 set to DHCP, the other 650 are used on :developer workstations, devices, and servers. I do not have access to :the routers, dns, and there is limited access to a dhcp server

Pass the buck. Write to your supervisor indicating that you cannot do a meaningful investigation without access to the log files, and ask your supervisor to arranged increased access or to re-assign the investigation to someone who has the appropriate access, or to cancel the investigation. Cc either your supervisor's supervisor or the person responsible for security.

You asked whether particular devices could give you information about IP usage. Some of them -might- be able to do so, but you have indicated that you don't have access to the information that they have on record, so the point of what they can or cannot tell you is moot.

Sorry, but considering your lack of access and the lack of details, it isn't clear what kind of answer you were hoping for.

If the question was essentially, "Is there a way [you] can get -your- desktop (i.e., one of the few things you have access to) to tell you exactly which other machine was using a particular IP address (possibly in a different subnet) during a particular timeframe?" then the answer is usually "Not without the network infrastructure having been configured in advance to have supplied the information to your desktop".

In fully switched networks, absent specific network infrastructure modifications, about the only information your desktop receives about what other machines are doing, is in the form of ARP queries that that machine issues, which your desktop will receive copies of if your desktop is in the same broadcast domain. ARP queries are *very* common in networking, and machines do not keep records of them unless they have been configured to do so. ARP queries do not pass router boundaries, and ARP queries do not pass VLAN boundaries. Also, anyone who was interested in deliberate intrusion can usually find ways to make ARP queries appear to be from a different IP address, or find ways to not use ARP queries at all.