Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » dhcp_find_rogue
Trace:
networking:dhcp_find_rogue

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
networking:dhcp_find_rogue [2018/07/20 12:27]
gcooper 		networking:dhcp_find_rogue [2018/07/20 12:46] (current)
gcooper
Line 17: Line 17:
  
   - Note the IP address of valid DHCP server   - Note the IP address of valid DHCP server
 +    * See DHCP Release packet from working client
   - Start Wireshark   - Start Wireshark
   - ''ipconfig /release''   - ''ipconfig /release''
Line 27: Line 28:
 In Wireshark: In Wireshark:
  
-  - Open the ''.pcap'' file +  - **Open** the ''.pcap'' file 
-  - Filter on ''bootp'' packets +  - **Filter** on ''bootp'' packets 
-  - +    * Shows DORA 
 +  - **Filter** on ''bootp.option.dhcp == 2'' packets 
 +    * Shows DHCP Offer packets
  
 +===== Track It Down =====
 +
 +From a CMD prompt, you can check for:
 +
 +  * Reverse DNS info
 +  * Find the MAC address
 +  * Check for NETBIOS name
 +
 +<file>
 +nslookup <IP of rogue DHCP server>
 +</file>
 +
 +<file>
 +ping <IP of rogue DHCP server>
 +arp -a
 +</file>
 +
 +<file>
 +nbtstat -A <IP of rogue DHCP server>
 +</file>
 +
 +Knowing the manufacturer of the rogue device might help, once you know the MAC address.  Try a lookup here:
 +
 +https://macvendors.com/
 +
 +Finally, use '**Divide and Conquer**' to find the culprit.
networking/dhcp_find_rogue.1532111272.txt.gz · Last modified: 2018/07/20 12:27 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki