WIRESHARK: Finding the Rogue DHCP server With Wireshark

We have found what appear to be rogue DHCP servers on the school network identified by using the bootp.option.dhcp filter in wireshark.   Next step, sitting in front of the specious computer, how do we figure out what is broadcasting the availability of DHCP services?
LVL 1
Lance McGrewRETIREDAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NinjaStyle82Systems AdministratorCommented:
"netstat -b" might help
0
Lance McGrewRETIREDAuthor Commented:
Did not really find anything enlightening with netstat -b.   Did receive from another tech support online group suggestions such as "internet sharing might be enabled", "Spotify", and "Bonjour" are all typical culprits that broadcast DHCP.

Bottom line still hoping for other "experts" to chime in with suggestions.
0
NinjaStyle82Systems AdministratorCommented:
posting your wireshark transfer would allow us to verify that the computer in question is indeed offering dhcp.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Lance McGrewRETIREDAuthor Commented:
Closing the original question.  Supervisor has stopped any further time spent investigating this issue therefore computer in question has become off-limits to further troubleshooting.  Thank you for trying to help me.
0
PaulOffordCommented:
Hi Lance,

I'm a bit late in on this but I thought I'd add a comment.  DHCP servers don't really announce their presence.  This is what happens:

* A device requiring dynamic configuration (say a PC) sends a DHCP Request packet.  The destination MAC address is Broadcast (all FFs) and the Destination IP address is 255.255.255.255.
* If there is a DHCP server on the same subnet it will respond with a NAK (if the Request included a client IP address that the DHCP server didn't approve of) or an Offer of an IP address to be used.  Source address (MAC and IP) will be the DHCP server address
* If the DHCP server is on another subnet, a DHCP Relay or Helper function in the router will listen for DHCP requests to UDP Port 67, capture the packet, set the Relay Agent IP address to its own address and then forward to the remote DHCP server.  Typically the DHCP Relay function will have the same address as the default gateway on your subnet and so responses (NAK, Offer and ACK) will appear to come from your default gateway

I'll get to the point.  You can determine the DHCP server address by looking at the decode of a NAK, Offer or ACK and checking the DHCP Server Identifier.

Wireshark screenshot
In the example above you can see that the DHCP Relay Agent is 10.101.188.1 but the actual address of the DHCP server is 10.1.5.19.  You can also see that the server has offered my PC the IP address 10.101.188.186.

Best regards...Paul
0
Lance McGrewRETIREDAuthor Commented:
I will digest your instructions and try to apply for better understanding.  Thanks for chiming in.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
DHCP

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.