WIRESHARK: Finding the Rogue DHCP server With Wireshark

We have found what appear to be rogue DHCP servers on the school network identified by using the bootp.option.dhcp filter in wireshark.   Next step, sitting in front of the specious computer, how do we figure out what is broadcasting the availability of DHCP services?
Lance McGrewRETIREDAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NinjaStyle82Systems AdministratorCommented:
"netstat -b" might help
Lance McGrewRETIREDAuthor Commented:
Did not really find anything enlightening with netstat -b.   Did receive from another tech support online group suggestions such as "internet sharing might be enabled", "Spotify", and "Bonjour" are all typical culprits that broadcast DHCP.

Bottom line still hoping for other "experts" to chime in with suggestions.
NinjaStyle82Systems AdministratorCommented:
posting your wireshark transfer would allow us to verify that the computer in question is indeed offering dhcp.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Lance McGrewRETIREDAuthor Commented:
Closing the original question.  Supervisor has stopped any further time spent investigating this issue therefore computer in question has become off-limits to further troubleshooting.  Thank you for trying to help me.
Hi Lance,

I'm a bit late in on this but I thought I'd add a comment.  DHCP servers don't really announce their presence.  This is what happens:

* A device requiring dynamic configuration (say a PC) sends a DHCP Request packet.  The destination MAC address is Broadcast (all FFs) and the Destination IP address is
* If there is a DHCP server on the same subnet it will respond with a NAK (if the Request included a client IP address that the DHCP server didn't approve of) or an Offer of an IP address to be used.  Source address (MAC and IP) will be the DHCP server address
* If the DHCP server is on another subnet, a DHCP Relay or Helper function in the router will listen for DHCP requests to UDP Port 67, capture the packet, set the Relay Agent IP address to its own address and then forward to the remote DHCP server.  Typically the DHCP Relay function will have the same address as the default gateway on your subnet and so responses (NAK, Offer and ACK) will appear to come from your default gateway

I'll get to the point.  You can determine the DHCP server address by looking at the decode of a NAK, Offer or ACK and checking the DHCP Server Identifier.

Wireshark screenshot
In the example above you can see that the DHCP Relay Agent is but the actual address of the DHCP server is  You can also see that the server has offered my PC the IP address

Best regards...Paul
Lance McGrewRETIREDAuthor Commented:
I will digest your instructions and try to apply for better understanding.  Thanks for chiming in.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.