[c-nsp] Tracking down rogue DHCP server
Joel M Snyder
Joel.Snyder at Opus1.COM
Mon Aug 15 11:44:19 EDT 2005
> I am trying to find an easy way to track down this rogue DHCP server and
> smack the user really really really hard.
You may get lucky. Try having a user who picks up the wrong DHCP
address do an "ipconfig/full" (or is it /all? Damn Windows machines).
DHCP servers often hand out lots of other information, such as name
server and domain name, that can help you track down who might have done
this. For example, if you see that the domain name being given out is
"sipura.com," that gives you a lot more information about who is handing
out the information.
In any case, you'll need the IP address of the rogue DHCP server (via
the ipconfig command) so you can walk your FDBs and figure out what port
it's on. But finding out things like the default gateway and domain
name might get you a faster answer. It's worked for me the past two
times this has happened.
jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice) +1 520 324 0495 (FAX)
jms at Opus1.COM http://www.opus1.com/jms Opus One
More information about the cisco-nsp
mailing list