You might need to discover traffic coming from a particular IP address if you work in a DHCP enabled environment. This procedure allows you to reconcile an IP address to a particular host when IP addresses do not belong to a particular machine.
In addition, this search requires the use of consistent, normalized data provided by the Common Information Model (CIM). This search requires the Network Sessions data model. For information on installing and using the CIM, see the Common Information Model documentation.
- Gather the inputs. For example, you might have the IP Address 10.11.36.36 and need to identify the MAC address of the machine that held the lease on January 2nd, 2010 at 9:45AM.
- Set the search time range to ‘Before’ January 2nd, 2010 at 9:45AM.
- Run the following search.
|datamodel Network_Sessions DHCP search |search All_Sessions.tag=start All_Sessions.dest_ip=10.11.36.36 |head 1 |table All_Sessions.dest_mac
Here is an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|datamodel Network_Sessions DHCP search
Search all the DHCP data mapped to the Network_Sessions data model.
|search All_Sessions.tag=start All_Sessions.dest_ip=10.11.36.36
Narrow the search to look for only ‘session start’ events related to the IP address we are investigating, 10.11.36.36.
Limit the data returned to the first result.
Display the MAC address from the event in
This search returns a MAC address that identifies the machine that was leasing the IP address at the specified time. After you have identified the MAC address, these are some possible next steps:
- If the user is identifiable based on the MAC address, communicate with the user.
- If the user is not identifiable by the MAC address, investigate the MAC address to determine who owns it.
Finally, you might be interested in other processes associated with the Processing DMCA notices use case.