At wit's end....(can't find dhcp leases)

Brian Johnson voyager.106 at gmail.com
Fri Sep 14 14:38:13 UTC 2007 

Thank you to the two people who've responded. I appreciate your taking the time.

I'd actually started writing the email a few days ago and didn't get
to finish it till this morning, as I waited for my English Muffin to
toast. In doing so, I actually left out an important detail I'd
initially meant to include.

As was mentioned in the below email, we use our logs quite a bit for
finding information on ip addresses. We keep approximately 2 weeks
worth of logs. The problem we're having is, we have neither lease NOR
log information on some ip addresses at a given time they're
supposedly on the network. For example, we might be told that an ip
address 10.1.1.100 was doing something bad on 09/13/2007 17:00:00 EDT.
Then we go looking in the leases file  and find out that the closest
lease for that ip address on that day ended at 19:45:00 GMT (15:45:00
EDT) and the next lease for it didn't start until 22:30:00 GMT
(18:30:00 EDT). So, given the lack of valid lease information for that
ip address at that time, we will then go to the log files to see what
we can find. Often times we can find dhcpacks for the user prior to
the timestamp of the infraction, and dhcpacks for the user after the
infraction, which gives reason to believe the person had the ip
address at the time of the infraction, but leaves reasonable doubt.
Obviously, if we accuse someone of wrongdoing, we need to make sure
that all of our ducks in a row and we should be able to show exactly
why we believe what we do....

Brian

Looking in the log files, we're seeing information consistent with
what we're seeing in the leases file --

On 9/14/07, Bruce Hudson <Bruce.Hudson at dal.ca> wrote:
>
> > My problem is this, and it's driving me crazy. Occasionally, we have
> > reason to go back and identify the mac address of a particular ip
> > address at a specific time. The obvious place to find this information
> > is in the leases file. However, it seems more and more often, we're
> > unable to find a lease for a particular ip address at the given time.
> > So, my question is twofold -- is anyone else seeing this particular
> > issue? And if so, are there any ideas why we might be seeing it? I
> > have some theories, but can't find anything on the internet to support
> > them.
>
>     The lease file only holds the information the server needs to do its
> job consistently across program restarts. It records active leases and it
> remembers the last IP address given to each identifier so that the server
> can give clients a consistent address if possible but this information is
> lost as soon as somebody else is given that address.
>
>     In addition, because the lease file is a text file with an "append
> and periodic rewrite", it does contain short-term historical information
> until its rewritten.
>
>     We, as I suspect most people do, scrape historical information out
> of the log files and store it.
> --
> Bruce A. Hudson                         | Bruce.Hudson at Dal.CA
> UCIS, Networks and Systems              |
> Dalhousie University                    |
> Halifax, Nova Scotia, Canada            | (902) 494-3405
>
>


-- 
Brian Johnson
"And I will be even more undignified than this, and will be humble in
my own sight." (2 Samuel 6:22)

More information about the dhcp-users mailing list