How to use wireshark to detect other routers or DHCP servers that might be on my lan? ip conflicts

Hello Experts,

I work at a school and despite running DHCP on our main router with only a few static ip's set for printers, we are constantly getting the, "there is an ip conflict with another system on the network" error messages.  I was told to try to use wireshark to try to figure out if there is another unknown router or device running DHCP on the network that might be causing this problem.  I've installed wireshark, but I've only used the program once or twice and I have no idea how to get this information.  Can anyone shed some light on this?  Can anyone suggest what else I can do to figure out these ip conflict messages?
Brent JohnsonAsked:
Who is Participating?
SommerblinkConnect With a Mentor Commented:
There are plenty of other tools out there as well that perform the same action, which is they send out DHCP Discover packets and then listen for all the Offer responses.

Also, an IP conflict can happen if your DHCP scope is too small and/or your lease time is too long for your environment.

Windows devices (by default) do not notify the DHCP server that it no longer needs that address before shutting down or going to sleep. As long as the lease time is still valid when the same client is brought back onto the network 1 hour or 10 days later (provided that it hasn't touched any other network in between), will attempt to first re-use that same IP address as long as the lease hasn't expired... even if the DHCP server has already reassigned that address to another client during the interim.
vverduraConnect With a Mentor Commented:
It could be some users that plugs in his pc to your network with an IP already there ou a rogue DHCP server ( a little router perhaps!)...

Some switches and routers permit to block this kind of traffic. It's considered an security attack. Assuming yours can't, You could do little. You can block users from changing IP and when you see that kind of error you can try to get the culprit going class to class to see who's got his computer in your network...

With Wireshark you can see the traffic and see the MAC Address of the PC. Nothing more...

You really need a better switch!
Rick_O_ShayConnect With a Mentor Commented:
When you have wireshark up and running on the adapter you want just type bootp in the filter box right above the packets and then click apply a little to the right.
That will isolate the displayed packets to just the dhcp packets. Hit clear to go back to seeing all packets.

You will only see the packets coming to and from the PC wireshark is on unless you can mirror other ports or VLANs to your capture device. So you will most likely see all of the DHCP requests, which are broadcasts, but not the replies from the server.

If you renew your DHCP lease on the wireshark machine you should see that whole transaction and what DHCP servers are replying to the request. That should help you to see if there are any unknown DHCP servers out there.
Josh RConnect With a Mentor Network AdministratorCommented:
I would make sure that the ip that is conflicting is not an ip that is statically assigned first. If it is, then you know that the dhcp server is handing out an address that you want static. You would then need to remove that address (range of statics) out of the dhcp pool.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.