IP use Tracking

Discussion in 'Cisco' started by bwillyerd@dshs.wa.gov, Jul 15, 2005.

  1. Guest

    Howdy,
    I would like to know if it is possible to get a history from either a
    machine, router, or dns server of the use of a specfice IP address?
    Someone in our group used an IP for not so ethicial purposes and it
    would be nice to find out which machine had bound that IP. Is this
    possible?

    TIA,
    Bill
     
    , Jul 15, 2005
    #1
    1. Advertising

  2. In article <>,
    <> wrote:
    :I would like to know if it is possible to get a history from either a
    :machine, router, or dns server of the use of a specfice IP address?
    :Someone in our group used an IP for not so ethicial purposes and it
    :would be nice to find out which machine had bound that IP. Is this
    :possible?

    The question is too general to answer easily. You don't give
    us any information about what kind of 'machine' might be involved,
    nor about what kind of router it is or what kind of logging you
    have turned on, and in your reference to 'dns server' we can't
    tell whether you are hinting about DHCP or whether you were hoping
    to be able to find out which sites a particular IP client had done
    DNS lookups of. You also don't mention anything about firewall
    logs, nor about possibilities such as netflow logs.

    If you have Windows machines, look through the Event Logs. If you
    find a machine which doesn't have an Event Log for that time period
    while the others do, you've found the machine.

    On Unix machines, look through the system logs.

    If DHCP was used... well, -I- wouldn't set up DHCP without turning
    on logging of the IPs and MAC addresses, but I've heard of a number
    of places that don't log DHCP allocations :(

    --
    "Never install telephone wiring during a lightning storm." -- Linksys
     
    Walter Roberson, Jul 15, 2005
    #2
    1. Advertising

  3. Guest

    Walter,
    The vagueness is not intentional, as for the 'Machine' it could be
    an XP Pro workstation, W2K server, or Win 2003 server. There are 1000
    IP's in our subnet, 350 set to DHCP, the other 650 are used on
    developer workstations, devices, and servers. I do not have access to
    the routers, dns, and there is limited access to a dhcp server
     
    , Jul 15, 2005
    #3
  4. In article <>,
    <> wrote:
    :The vagueness is not intentional, as for the 'Machine' it could be
    :an XP Pro workstation, W2K server, or Win 2003 server. There are 1000
    :IP's in our subnet, 350 set to DHCP, the other 650 are used on
    :developer workstations, devices, and servers. I do not have access to
    :the routers, dns, and there is limited access to a dhcp server

    Pass the buck. Write to your supervisor indicating that you cannot do a
    meaningful investigation without access to the log files, and ask
    your supervisor to arranged increased access or to re-assign
    the investigation to someone who has the appropriate access, or
    to cancel the investigation. Cc either your supervisor's supervisor
    or the person responsible for security.

    You asked whether particular devices could give you information
    about IP usage. Some of them -might- be able to do so, but you
    have indicated that you don't have access to the information
    that they have on record, so the point of what they can or cannot
    tell you is moot.


    Sorry, but considering your lack of access and the lack of details,
    it isn't clear what kind of answer you were hoping for.

    If the question was essentially, "Is there a way [you] can get -your-
    desktop (i.e., one of the few things you have access to) to tell you
    exactly which other machine was using a particular IP address (possibly
    in a different subnet) during a particular timeframe?" then the answer
    is usually "Not without the network infrastructure having been
    configured in advance to have supplied the information to your
    desktop".

    In fully switched networks, absent specific network infrastructure
    modifications, about the only information your desktop receives about
    what other machines are doing, is in the form of ARP queries that that
    machine issues, which your desktop will receive copies of if your
    desktop is in the same broadcast domain. ARP queries are *very* common
    in networking, and machines do not keep records of them unless they
    have been configured to do so. ARP queries do not pass router
    boundaries, and ARP queries do not pass VLAN boundaries. Also,
    anyone who was interested in deliberate intrusion can usually find
    ways to make ARP queries appear to be from a different IP address,
    or find ways to not use ARP queries at all.
    --
    "Never install telephone wiring during a lightning storm." -- Linksys
     
    Walter Roberson, Jul 16, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Splibbilla
    Replies:
    2
    Views:
    4,784
    Splibbilla
    Jul 23, 2005
  2. bluehmann \(removethis\) @mchsi.com

    Tracking Warning

    bluehmann \(removethis\) @mchsi.com, Nov 29, 2003, in forum: Microsoft Certification
    Replies:
    2
    Views:
    514
    Hall_R_Bob
    Dec 11, 2003
  3. Mark Holloway

    HSRP and TRACKING SERIAL PORTS

    Mark Holloway, Jul 15, 2003, in forum: Cisco
    Replies:
    1
    Views:
    3,780
    jonathan fernandes
    Jul 15, 2003
  4. Joshua Colvin
    Replies:
    2
    Views:
    3,213
    Joshua Colvin
    Oct 23, 2003
  5. Edw. Peach

    Tracking Someone Tracking Me

    Edw. Peach, Jun 15, 2005, in forum: Computer Security
    Replies:
    4
    Views:
    703
    Olden Doode
    Jul 7, 2005
Loading...

Share This Page