Link to home
Start Free TrialLog in
Avatar of maharlika

asked on

Unidentified DHCP on network

Some of the computers on our network keep getting 192.168.x.x addresses, even though our DHCP server is on 10.2.x.x subnet. I suspect there's a rogue router or access point with dhcp turned on by default, but don't know how to trace it.  Is there some way of telling the MAC address or otherwise identifying where the DHCP addresses are coming from?
Avatar of Joseph Daly
Joseph Daly
Flag of United States of America image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
I've used this utility to locate them before. As xxdcmast said you can determine the IP address of the device, look at your ARP table for the MAC address and locate the switch port its connected to that way. Assuming you have Cisco switches the command would be "show mac address | i 0000.aaaa.bbbb.cccc - it will return which port that switch sees the device on.
One more thing, it may not find the DHCP server initially- it may take a few minutes for it to discover it. It basically sends DHCP requests out over the network and specified intervals and will tell you who responds with an address. It will keep doing this until you stop it.
You may use for that tool released by Windows DHCP team on their blog at

This will simply tell you what is serving DHCP leases in your environment

cange a test computer to a fixed IP within the same subnet.

Put the ip in the internet browser.


A window will come up.

Usually rogue DHCP servers are either home based routers, Wireless routers, or NAS servers. Most all have a web interface. By putting in the IP, you will be able to access the web page. If not configured, you can use the default username and password to access it and shut down DHCP.

Admin / (blank)
Admin / admin
are typically the two default username and passwords of many devices.