Locate the DHCP server in the Network

I would like to know if there is a method to use In order to locate which DHCP is handing out IP addresses.
Assuming someone plugged in DHCP server in the network, how can we locate it..?.

If I understand DHCP server even if it is not authorized it still can hand out IP addresses

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Zephyr ICTCloud ArchitectCommented:
It depends somewhat on how your network is managed, but there are some things you can do to either check for a rogue DHCP server or hunt for one if there is one...

Microsoft also has a nice article about it, it also links to a tool they created called roguechecker I think ...

Besides that their is the manual way, for example, use a PC or laptop to let it get an ip from the DHCP server, get the mac-address of the rogue DHCP server and hunt it down via the network switches (very high level here of course).

You can also use a sniffer on the network and use that to pinpoint the rogue DHCP server.
jskfanAuthor Commented:
I do not think there is a fast way to find the Rogue DHCP
I believe after:
You need to gather DHCP server IP address on multiple PCs. using IPconfig /all command
then on that VLAN where DHCP IP address is shown up, you can plug a laptop and run for instance WMIC command against the DHCP server and retrieve the MAC address.. then ssh to the switch and run Show Mac-Address table to display the MAC Address table and the Port, then Shutdown the Port.

Probably that's the way to locate it...
I wonder if there is a magical way , faster ?
Robin CMSenior Security and Infrastructure EngineerCommented:
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

The combination of wireshark and a DHCPDiscovery broadcast will have each DHCP server respond

A rogue DHCP will be discoverable.  There are different methods some are easyier tools than others.
jskfanAuthor Commented:
can Wireshark see traffic in all Vlans ?
example: if rogue DHCP is in Vlan 200 and you plug your laptop to Management vlan(Vlan66), will you be able to see DHCP servers that are acknowledging DHCP requests and pin point the Ports that they are plugged into ?

I know DHCP snooping is prevention mechanism, but if you have not configured it and the issue has occurred then you still need to use other means to locate the Port where the rogue DHCP is plugged into.
That's what this question is about
Zephyr ICTCloud ArchitectCommented:
You should be able to capture the VLAN tags if you set the port monitoring/span up correctly, in other words capture all traffic going over the switch

When you have the mac-address of the rogue dhcp server you should be able to pinpoint it to a certain switch and then a certain port ... You could also use the first part of the mac-address to look up the vendor to give you an idea maybe what device it is...
A rogue DHCP will interfere with Functioning of the systems on that segment/vlan.

a linux liveCD using dhclient you can locate the DHCP servers on the network/segment.
A prior linux running the perl script from EE article http://www.experts-exchange.com/Networking/Protocols/DHCP/Q_27544076.html
Alter it to process the responses without actually requesting IPs.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jskfanAuthor Commented:
I will come back to this later
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.