How to find a rogue DHCP server

Unanswered Question
Dec 9th, 2008


Anyone know how to find such a server. We cannot find any mac address that's associated with the DHCP server. We tried sniffing nothing.

We cannot yet use dhcp snooping because of an issue toh bootp that we stil use besides dhcp.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Edison Ortiz Tue, 12/09/2008 - 07:21

If you have WindowsXP and obtain an IP address from that rogue DHCP server, the IP address of the DHCP server will be displayed in ipconfig /all at the workstation.

Once you have the IP address, you can go to your Layer3 device and find its MAC Address in the ARP table.

With the MAC Address, you can find what switchport this device is connected to in the switch.




MJonkers Tue, 12/09/2008 - 07:24

That we tried, use our own laptop in the vlan. We got an ip address 192.168.2.x with dhcp server This machine is not pingable and the arp table says nothing about it. No mac address. That's the strange thing.

Edison Ortiz Tue, 12/09/2008 - 07:28

The reason could be due to the Layer3 device not being part of that subnet.

And if you have the sniffing software running on the laptop getting the initial IP address, you can't see the MAC address?

Can you ping the DHCP server from the laptop that obtained this IP address? If so, the MAC will be in the laptop's ARP table.



MJonkers Tue, 12/09/2008 - 07:30

Sniffing tell us mac adress 00:00:00:00:00:00 is the mac adres.

shelly_ratliff Tue, 12/09/2008 - 07:37

Try using IPScan (aka angry ip). It's a free scanning tool that scans the network using various ways to get equipment to respond. The responce should include the mac address. You can enter just the ip address of the dhcp or you can do a full range of addresses... Note: This utility is often detected as a spyware or virus on the pc it is installed on because it scans the network. It is not a spy, it is a utilty for LAN Administrators!

ullasupendran Tue, 12/09/2008 - 07:43

hi ,

Try telnetting or ssh or http or https to the rouge device ip from the same vlan which u got the ip. Sometimes that can help to find which device is the culprit.


ullasupendran Wed, 12/10/2008 - 07:19

one more solution.Try continuous ping to the rogue ip from ur laptop that got the DHCP ip .log into the switch on which the laptop is connected. give show arp | in 192.x.x.x (rogue dhcp ip ). that will give u the mac address for the rogue device. get that mac and use " show mac-address-table address {mac address} " and try to find the switch port where the device is connected.

Hope that helps



This Discussion