Skip to main content
Splunk Lantern

Machine leasing an IP address at a particular time

You might need to discover traffic coming from a particular IP address if you work in a DHCP enabled environment. This procedure allows you to reconcile an IP address to a particular host when IP addresses do not belong to a particular machine. You might do this when:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

  • Splunk Enterprise or Splunk Cloud Platform
  • DHCP data

In addition, this search requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Network Sessions data model. For information on installing and using the CIM, see the Common Information Model documentation.

Example

You have the IP Address 10.11.36.36 and you need to identify the MAC address of the machine that held the lease on January 2nd, 2010 at 9:45AM. 

To optimize the search shown below, you should specify an index and a time range.

  1. Set the search time range to ‘Before’ January 2nd, 2010 at 9:45AM.
  2. Run the following search:
|datamodel Network_Sessions DHCP search
|search All_Sessions.tag=start All_Sessions.dest_ip=10.11.36.36 
|head 1 
|table All_Sessions.dest_mac 

Search explanation

Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

|datamodel Network_Sessions DHCP search

Search all the DHCP data mapped to the Network_Sessions data model.

|search All_Sessions.tag=start All_Sessions.dest_ip=10.11.36.36 

Narrow the search to look for only ‘session start’ events related to the IP address we are investigating, 10.11.36.36.

|head 1 

Limit the data returned to the first result.

|table All_Sessions.dest_mac 

Display the MAC address from the event in

Result

This search returns a MAC address that identifies the machine that was leasing the IP address at the specified time. After you have identified the MAC address, these are some possible next steps:

  • If the user is identifiable based on the MAC address, communicate with the user. 
  • If the user is not identifiable by the MAC address, investigate the MAC address to determine who owns it.  
  • Was this article helpful?