Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

How to find a rogue DHCP server

Hi,

Anyone know how to find such a server. We cannot find any mac address that's associated with the DHCP server. We tried sniffing nothing.

We cannot yet use dhcp snooping because of an issue toh bootp that we stil use besides dhcp.

thx,

Marc

9 REPLIES
Hall of Fame Super Bronze

Re: How to find a rogue DHCP server

If you have WindowsXP and obtain an IP address from that rogue DHCP server, the IP address of the DHCP server will be displayed in ipconfig /all at the workstation.

Once you have the IP address, you can go to your Layer3 device and find its MAC Address in the ARP table.

With the MAC Address, you can find what switchport this device is connected to in the switch.

HTH,

__

Edison.

New Member

Re: How to find a rogue DHCP server

That we tried, use our own laptop in the vlan. We got an ip address 192.168.2.x with dhcp server 192.168.2.1. This machine is not pingable and the arp table says nothing about it. No mac address. That's the strange thing.

Hall of Fame Super Bronze

Re: How to find a rogue DHCP server

The reason could be due to the Layer3 device not being part of that subnet.

And if you have the sniffing software running on the laptop getting the initial IP address, you can't see the MAC address?

Can you ping the DHCP server from the laptop that obtained this IP address? If so, the MAC will be in the laptop's ARP table.

__

Edison.

New Member

Re: How to find a rogue DHCP server

Sniffing tell us mac adress 00:00:00:00:00:00 is the mac adres.

New Member

Re: How to find a rogue DHCP server

Try using IPScan (aka angry ip). It's a free scanning tool that scans the network using various ways to get equipment to respond. The responce should include the mac address. You can enter just the ip address of the dhcp or you can do a full range of addresses... Note: This utility is often detected as a spyware or virus on the pc it is installed on because it scans the network. It is not a spy, it is a utilty for LAN Administrators!

http://www.angryziber.com/w/Home

New Member

Re: How to find a rogue DHCP server

hi ,

Try telnetting or ssh or http or https to the rouge device ip from the same vlan which u got the ip. Sometimes that can help to find which device is the culprit.

Ullas

New Member

Re: How to find a rogue DHCP server

Hi Ullas,

Tried that also. It's so strange.

New Member

Re: How to find a rogue DHCP server

one more solution.Try continuous ping to the rogue ip from ur laptop that got the DHCP ip .log into the switch on which the laptop is connected. give show arp | in 192.x.x.x (rogue dhcp ip ). that will give u the mac address for the rogue device. get that mac and use " show mac-address-table address {mac address} " and try to find the switch port where the device is connected.

Hope that helps

Ullas

New Member

Re: How to find a rogue DHCP server

We found the machines (2) with a new sniffer action. These machine a running a trojan horse.

http://www.avertlabs.com/research/blog/index.php/2008/12/04/dnschanger-trojans-v40/

Marc

12344
Views
0
Helpful
9
Replies
CreatePlease to create content