DORA
ipconfig /release
ipconfig /renew
find_rogue.pcap
In Wireshark:
.pcap
filebootp
packetsbootp.option.dhcp == 2
packetsFrom a CMD prompt, you can check for:
nslookup <IP of rogue DHCP server>
ping <IP of rogue DHCP server> arp -a
nbtstat -A <IP of rogue DHCP server>
Knowing the manufacturer of the rogue device might help, once you know the MAC address. Try a lookup here:
Finally, use 'Divide and Conquer' to find the culprit.