Solved

How to know the IP configuration of a windows machine is stactic or Dynamic in an AD environment by analysing the network traffic

Posted on 2015-01-14
27
268 Views
Last Modified: 2015-02-01
Hi,
I have a requirement to find out the Windows machines which have static IP configuration instead of DHCP by doing network packet analysis (By using Microsoft Netmon tool). There are thousands of client machines.
I need to know how can I get the list of machines which have static IP by doing protocol traffic analysis through the tool MS Netmon.
0
Comment
  • 11
  • 7
  • 3
  • +1
27 Comments
 
LVL 37

Accepted Solution

by:
Neil Russell earned 250 total points
Comment Utility
Network traffic does not tell you if you are static or dhcp address.  

You would be far better off just doing a script to look at the NIC configuration of each machine on your network remotely.

Of course your DHCP server can tell you all of the IP addresses it has issued and are in use.
0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Hi Neilsr,
Thanks for the reply. Yes, I agree, from DHCP server lease log we can get the detail of free and used IP from the pool. But for thousands of machines it is obviously a tedious task and time consuming. From packet analysis by filtering and extracting the DHCP packets we can find out the list of clients which are using dynamic IP. However the script part is a better option. Do you have a such kind of script ! That will really help. I think a PS script will be a good one.
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
Comment Utility
For static IP addresses overlapping with the DHCP pool you get special entries in the lease table, as those are getting blocked by the DHCP server.
A list of AD computers minus DHCP lease computers should get you those machines potentially being static. I would then go and apply the aforementioned script to only those.
On the other hand, running a login script collecting IP info is a common approach.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 250 total points
Comment Utility
I'm off out in a bit but in essence what you want is starting with this...
$Computers = Get-ADComputer -Filter *
foreach ($Computer in $Computers)
{
$wmiInfo = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName $Computer.name  -ErrorAction:SilentlyContinue
$wmiinfo
}

Open in new window


If you run that and observer its output, that will hopefully guide you in how to get what you want. OR qlemo can elaborate for you.
0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Thanks a lot Neilsr. Let me check out the script in my lab. I will post the output soon.

Thank you Qlemo.

Cheers :)
0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Neilsr,

I ran the above script on my lab DC. Below is my observations.

PS C:\Users\Administrator\Desktop> Get-ADComputer -Filter *


DistinguishedName : CN=cloudflexweb-PDC,OU=Domain Controllers,DC=logon,DC=ds,DC=cloudflexweb,DC=com
DNSHostName       : cloudflexweb-PDC.logon.ds.cloudflexweb.com
Enabled           : True
Name              : cloudflexweb-PDC
ObjectClass       : computer
ObjectGUID        : b7f5aa73-3c1b-4eca-952e-0d78ccb478c2
SamAccountName    : cloudflexweb-PDC$
SID               : S-1-5-21-1648877103-3137164350-3771869934-1000
UserPrincipalName :

DistinguishedName : CN=cloudflexwebCAP-CLIENTXP,CN=Computers,DC=logon,DC=ds,DC=cloudflexweb,DC=com
DNSHostName       : cloudflexwebCAP-ClientXP.logon.ds.cloudflexweb.com
Enabled           : True
Name              : cloudflexwebCAP-CLIENTXP
ObjectClass       : computer
ObjectGUID        : 4190af3a-0e1a-482b-af78-c029c9d8fda5
SamAccountName    : cloudflexwebCAP-CLIENTXP$
SID               : S-1-5-21-1648877103-3137164350-3771869934-1103
UserPrincipalName :

DistinguishedName : CN=cloudflexwebCAPCLIENTWIN8,CN=Computers,DC=logon,DC=ds,DC=cloudflexweb,DC=com
DNSHostName       : cloudflexwebCAPCLIENTWIN8.logon.ds.cloudflexweb.com
Enabled           : True
Name              : cloudflexwebCAPCLIENTWIN8
ObjectClass       : computer
ObjectGUID        : 97503804-0501-45a3-863e-d883d5b16b79
SamAccountName    : cloudflexwebCAPCLIENTWIN8$
SID               : S-1-5-21-1648877103-3137164350-3771869934-1109
UserPrincipalName :

DistinguishedName : CN=cloudflexweb-DB,CN=Computers,DC=logon,DC=ds,DC=cloudflexweb,DC=com
DNSHostName       : cloudflexweb-DB.logon.ds.cloudflexweb.com
Enabled           : True
Name              : cloudflexweb-DB
ObjectClass       : computer
ObjectGUID        : 84d04bbd-f6f1-48fb-9af9-519d9ec79cd3
SamAccountName    : cloudflexweb-DB$
SID               : S-1-5-21-1648877103-3137164350-3771869934-1110
UserPrincipalName :

DistinguishedName : CN=THEHACKER-HP,CN=Computers,DC=logon,DC=ds,DC=cloudflexweb,DC=com
DNSHostName       : THEHACKER-HP.logon.ds.cloudflexweb.com
Enabled           : True
Name              : THEHACKER-HP
ObjectClass       : computer
ObjectGUID        : 3b133b26-2f4a-4803-b5cf-d9ddb800fc41
SamAccountName    : THEHACKER-HP$
SID               : S-1-5-21-1648877103-3137164350-3771869934-1112
UserPrincipalName :

Open in new window


After using your code with ps1 script :

PS C:\Users\Administrator\Desktop> .\StaticIP_Fetch.ps1


DHCPEnabled      : False
IPAddress        : {192.168.43.243, fe80::711e:9752:fbd2:7ee4}
DefaultIPGateway : {192.168.43.85}
DNSDomain        :
ServiceName      : E1G60
Description      : Intel(R) PRO/1000 MT Network Connection
Index            : 7

DHCPEnabled      : True
IPAddress        : {192.168.43.85, fe80::5d3:1bcd:f408:2bd7}
DefaultIPGateway : {192.168.43.1}
DNSDomain        :
ServiceName      : E1G60
Description      : Intel(R) PRO/1000 MT Network Connection #2
Index            : 10

DHCPEnabled      : False
IPAddress        : {192.168.43.244, fe80::f8a0:336:8302:a677}
DefaultIPGateway : {192.168.43.250, 192.168.43.85}
DNSDomain        :
ServiceName      : E1G60
Description      : Intel(R) PRO/1000 MT Network Connection #3
Index            : 13

DHCPEnabled      : True
IPAddress        : {192.168.43.201}
DefaultIPGateway : {192.168.43.243}
DNSDomain        : logon.ds.ge.com
ServiceName      : VMXNET
Description      : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Index            : 1

DHCPEnabled      : True
IPAddress        : {0.0.0.0}
DefaultIPGateway :
DNSDomain        :
ServiceName      : BthPan
Description      : Bluetooth Device (Personal Area Network)
Index            : 11

Open in new window


The top three NIC configurations are for the DC itself and the 4th one is for a XP client machine. looks fine :). For a large number of machines it will be better to format this output by keeping these 7 Objects [DHCPEnabled, IPAddress, DefaultIPGateway, DNSDomain, ServiceName, Description and Index] in a tabular form to get them export in to a CSV file. I am working on it. Your notion regarding this will be deeply appreciated .  Thanks again for your valuable support. Have a lovely day.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
.\StaticIP_Fetch.ps1 | Export-CSV -NoType StaticIP. csv

Open in new window

Is all you need to get the CSV file. The formatting you see is done by PowerShell as you didn't tell what to do with the result. In that case up to 3 properties are shown in a table, more in a list.
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
You could also use Microsoft's  PSExec to run IPConfig on a list of remote computers, such as
  psexec @list.txt  ipconfig  >>C:\Temp\Output.txt
Where List.txt is a list of computer names, or IPs..
http://technet.microsoft.com/en-ca/sysinternals/bb897553.aspx
You could use the "find" command to limit the amount of information recorded.
0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Hi Qlemo,

I tried the "Export-CSV -NoType" through pipe but got the following error.

PS C:\Users\Administrator\Desktop> .\StaticIP_Fetch.ps1 | Export-CSV -NoType StaticIP.csv
Export-Csv : Cannot bind argument to parameter 'InputObject' because it is null.
At line:1 char:34
+ .\StaticIP_Fetch.ps1 | Export-CSV <<<<  -NoType StaticIP.csv
    + CategoryInfo          : InvalidData: (:) [Export-Csv], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ExportCsvCommand

Export-Csv : Cannot bind argument to parameter 'InputObject' because it is null.
At line:1 char:34
+ .\StaticIP_Fetch.ps1 | Export-CSV <<<<  -NoType StaticIP.csv
    + CategoryInfo          : InvalidData: (:) [Export-Csv], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ExportCsvCommand

Export-Csv : Cannot bind argument to parameter 'InputObject' because it is null.
At line:1 char:34
+ .\StaticIP_Fetch.ps1 | Export-CSV <<<<  -NoType StaticIP.csv
    + CategoryInfo          : InvalidData: (:) [Export-Csv], ParameterBindingValidationException
    + FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.ExportCsvCommand

Open in new window


Could you please suggest any correction !

Hi Rob,
Thanks for your support.  PSExec is really a great tool. I used that before. But as per our current policy approval of this tool for execution is really a challenge ! That is why trying to get this done by script.
0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Modified Script :

$Computers = Get-ADComputer -Filter *
foreach ($Computer in $Computers)
{
$wmiInfo = Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName $Computer.name -ErrorAction:SilentlyContinue | format-list DHCPEnabled,IPaddress
$wmiinfo
}

Open in new window



OUTPUT:

PS C:\Users\Administrator\Desktop> .\StaticIP_Fetch.ps1


DHCPEnabled : False
IPaddress   : {192.168.43.243, fe80::711e:9752:fbd2:7ee4}

DHCPEnabled : True
IPaddress   : {192.168.43.85, fe80::5d3:1bcd:f408:2bd7}

DHCPEnabled : False
IPaddress   : {192.168.43.244, fe80::f8a0:336:8302:a677}





DHCPEnabled : True
IPaddress   : {192.168.43.201}

DHCPEnabled : True
IPaddress   : {0.0.0.0}

Open in new window


Can I get the above output in below format ?

DHCPEnabled                    IPaddress
       True                         {192.168.43.201}

So that it can be exported into CSV properly !
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Try with:
Get-ADComputer -Filter * | % {
  if (Test-Connection -Quiet $_.Name -Count 1) {
    Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName $_.name  -ErrorAction SilentlyContinu
  }
} | select PSComputername, DHCPEnabled, IPAddress | Export-Csv -noType StaticIP.csv

Open in new window

0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Hi Qlemo,

I got the output on CSV as below : IP is not reflecting on CSV !!!

PSComputername      DHCPEnabled      IPAddress
                                               FALSE           System.String[]
                                                TRUE           System.String[]
                                               FALSE           System.String[]
                                                TRUE           System.String[]
                                               FALSE           System.String[]
                                                TRUE           System.String[]
                                                TRUE           System.String[]


Without Export or On Console :

PS C:\Users\Administrator\Desktop> .\StaticIP_Fetch_New.ps1

                                                                         DHCPEnabled IPAddress
                                                                         ----------- ---------
                                                                               False {192.168.43.243}
                                                                                True {169.254.43.215}
                                                                               False {192.168.43.244}
                                                                                True {192.168.43.164, fe80::1ca9:88e5:a04b:50ac}
                                                                               False {169.254.185.151, fe80::2542:9658:bf55:b997}
                                                                                True {169.254.247.74, fe80::a94d:7b95:ddf0:f74a}
                                                                                True {192.168.43.200}

Open in new window


Any idea pls !!!
0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Yes, please re-open the question, Sorry, I closed before getting the absolute solution. Thank you.
0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Thanks, Qlemo. Also requesting you to have a look at the output !
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
There is another issue, as PSComputerName seems to be available with PS 3, not PS 2 (hence it is empty in your output).
This script will (a) process the machines in alphabetical order, (b) provide (empty) output for machines not reached, and (c) create the proper CSV output. If an interface has more than one IP, which happens e.g. with IPv6, those IPs are listed comma-separated.
Get-ADComputer -Filter * | sort Name | % {
  if (Test-Connection -Quiet $_.Name -Count 1) {
    Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName $_.name -ErrorAction SilentlyContinue
  } else {
    New-Object PsObject -Property @{__Server = $_.Name; DHCPEnabled = $null; IPAddress = $null}
  }
 } | select @{n='ComputerName'; e={$.__Server}},
            DHCPEnabled,
            @{n='IPAddress'; e={$_.IPAddress -join ','}} |
   Export-CSV -NoType IPs.csv

Open in new window

0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Great, let me check the script in lab :) Yes, on PS3 and PS4 PSComputerName is present (tested with PS4). Thank you...
0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Works like a charm. CSV output is proper. But a small issue still exists for PSComputerName !

PC with PS4 | Output :

PS C:\Users\VLAB\Desktop> .\StaticIP_Fetch_New.ps1

ComputerName                                      DHCPEnabled                                       IPAddress
------------                                      -----------                                       ---------

                                                  True                                              192.168.43.164,fe80::1ca9:88e5:a04b:50ac
                                                  True                                              192.168.43.200

Open in new window


PC with PS4 | Output Simple Cmdlet: :

PS C:\Users\VLAB\Desktop> Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE | select PSComputerName, DHCPEnabled, IP
Address

PSComputerName                                                                          DHCPEnabled IPAddress
--------------                                                                          ----------- ---------
VLAB-HP                                                                                   True {192.168.43.164, fe80::1ca9:88e5:a04b:50ac}
VLAB-HP                                                                                   True {192.168.43.200}

Open in new window


From the above output it is clear that  PSComputerName is available, but through script it is not giving the result. I checked by adding "PSComputerName" against "ComputerName" in script at "select @{n='ComputerName'; e={$.__Server}}", but that didn't work. It will be great to have your help on this.  Thanks a lot again !
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Strange.  __Server is available with WMI on PS 2, but let me perform some tests again...
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 250 total points
Comment Utility
What a stupid mistake - I left out an underline ...
Get-ADComputer -Filter * | sort Name | % {
  if (Test-Connection -Quiet $_.Name -Count 1) {
    Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter IPEnabled=TRUE -ComputerName $_.name -ErrorAction SilentlyContinue
  } else {
    New-Object PsObject -Property @{__Server = $_.Name; DHCPEnabled = $null; IPAddress = $null}
  }
 } | select @{n='ComputerName'; e={$_.__Server}},
            DHCPEnabled,
            @{n='IPAddress'; e={$_.IPAddress -join ','}} |
   Export-CSV -NoType IPs.csv

Open in new window

0
 

Author Comment

by:Bedanta Shanker Mishra
Comment Utility
Thank you So much Qlemo :) This is the final output through CSV export  (The perfect One):

ComputerName                           DHCPEnabled      IPAddress
VLAB1AD-DB            
VLAB1AD-PDC                                    FALSE      192.168.43.243
VLAB1AD-PDC                                     TRUE      192.168.43.85
VLAB1AD-PDC                                    FALSE      192.168.43.244
VLABCLIENTWIN8            
VLAB-CLIENTXP                                     TRUE      192.168.43.211
VLAB-CLIENTXP                                     TRUE      0.0.0.0
VLAB-HP                                                     TRUE      192.168.43.164,fe80::1ca9:88e5:a04b:50ac
VLAB-HP                                                     TRUE      192.168.43.200

Cheers
Bedanta
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Best to split between multiple answers, because the solution takes a different approach than the original question.

Neilsr  http:#a40549386      100
Neilsr  http:#a40549505      150
Qlemo http:#a40549487      100
Qlemo http:#a40556760      150
0
 
LVL 37

Expert Comment

by:Neil Russell
Comment Utility
Agreed with Qlemo two different questions answered really.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Trying to figure out group policy inheritance and which settings apply where can be a chore.  Here's a very simple summary I've written which might help.  Keep in mind, this is just a high-level conceptual overview where I try to avoid getting bogge…
As companies replace their old PBX phone systems with Unified IP Communications, many are finding out that legacy applications such as fax do not work well with VoIP. Fortunately, Cloud Faxing provides a cost-effective alternative that works over an…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now