Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » networking » dhcp_find_rogue
Trace: dhcp_find_rogue
networking:dhcp_find_rogue

Table of Contents

Find a Rogue DHCP Server

DHCP Process

DORA

  1. Discover
    • Client
  2. Offer
    • Server
  3. Request
    • Client
  4. Acknowledge
    • Server

Capture the Process

  1. Note the IP address of valid DHCP server
    • See DHCP Release packet from working client
  2. Start Wireshark
  3. ipconfig /release
  4. ipconfig /renew
  5. Save the capture
    • find_rogue.pcap

Analyze the Capture

In Wireshark:

  1. Open the .pcap file
  2. Filter on bootp packets
    • Shows DORA
  3. Filter on bootp.option.dhcp == 2 packets
    • Shows DHCP Offer packets

Track It Down

From a CMD prompt, you can check for:

  • Reverse DNS info
  • Find the MAC address
  • Check for NETBIOS name
nslookup <IP of rogue DHCP server>
ping <IP of rogue DHCP server>
arp -a
nbtstat -A <IP of rogue DHCP server>

Knowing the manufacturer of the rogue device might help, once you know the MAC address. Try a lookup here:

https://macvendors.com/

Finally, use 'Divide and Conquer' to find the culprit.

networking/dhcp_find_rogue.txt · Last modified: 2018/07/20 12:46 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki