[c-nsp] Tracking down rogue DHCP server

Joel M Snyder Joel.Snyder at Opus1.COM
Mon Aug 15 11:44:19 EDT 2005


> I am trying to find an easy way to track down this rogue DHCP server and
> smack the user really really really hard.  

You may get lucky.  Try having a user who picks up the wrong DHCP 
address do an "ipconfig/full" (or is it /all?  Damn Windows machines). 
DHCP servers often hand out lots of other information, such as name 
server and domain name, that can help you track down who might have done 
this.  For example, if you see that the domain name being given out is 
"sipura.com," that gives you a lot more information about who is handing 
out the information.

In any case, you'll need the IP address of the rogue DHCP server (via 
the ipconfig command) so you can walk your FDBs and figure out what port 
it's on.  But finding out things like the default gateway and domain 
name might get you a faster answer.  It's worked for me the past two 
times this has happened.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms at Opus1.COM    http://www.opus1.com/jms    Opus One


More information about the cisco-nsp mailing list