Fri, 23 Jun 2017 15:22:09 -0500 Vijay Sankar <vsan...@foretell.ca> > Early this morning I sent a private message to the OP to understand > why he was asking this question. It looked from his reply that the > objective was to find whether someone had entered the same IP address > on different workstations and accessed some unauthorized site.
Hi Vijay, You could also ask Indunil why he was asking this kind of question here? This is one matter of local policy and technical realisation on premise. For the time being we could presume from the scarce information provided that the person asking has not done their homework in all areas related. How can OpenBSD help him advance from the position of the original post? By providing the advice to friendly approach the person and advise them. Software solutions can help as much as procedure & practice are working. Before going for a technical upgrade make sure you have solved policies. Why does this matter at all? Because he can influence the policy making process there and help him get his fellow off the hook, optionally win a friend to whom he could show OpenBSD ways to achieve some goal together. Kind regards, Anton Lazarov > Not sure if the following is a good suggestion but I thought if he > looked at /var/log/messages on his firewall he may be able to see > stuff such as: > > Jun 23 01:53:12 fw1 /bsd: arp info overwritten for 10.20.0.216 by > 58:55:ca:43:83:91 on em0 > > Jun 23 01:53:12 fw1 /bsd: arp info overwritten for 10.20.0.216 by > 00:f7:6f:d4:3d:b6 on em0 > > etc. and correlate back. > > Vijay > > Sent from my iPhone > > >> On Jun 23, 2017, at 06:47, Stuart Henderson <s...@spacehopper.org> > >> wrote: > >> > >> On 2017-06-23, Indunil Jayasooriya <induni...@gmail.com> wrote: > >> Is there any way to get an MAC address of a PC that was connected > >> to OpenBSD PF box but now it is NOT connect to. > > > > If the PF box was serving DHCP and the PC fetched its address that > > way, it will likely still be in the lease > > database, /var/db/dhcpd.leases. > > > > If this is something which might come up again in the future, you > > can run arpwatch (in ports), but it's no time machine. > > > > >
