Help finding rogue DHCP server?

tdeantdean Member Posts: 520
hi guys, need some assistance here. theres a device handing our rogue IP's on our network and i cant find it. i ran the app DHCPHelper and it found nothing at all. our internal IP scheme is 172.22.2.x with IP's being giving out by our router, and everytime i plug something in it gets a 192.168.20.x IP with the gateway and DHCP server ip listed as 192.168.20.1.

I checked out switches, router, wireless AP's and firewalls to see if DHCP was enabled and found nothing. Any ideas?

Comments

  • sratakhinsratakhin Member Posts: 818
    Check all users's cubicles. I once saw the same problem, turned out that someone plugged in a wireless router in their cubicle. Also, you can trace the cables from your switches after looking at MAC address tables.
  • swildswild Member Posts: 828
    if you are able just temporarily block the rogue DHCP address until you can hunt it down. I had this happen recently and we have a reporting tool at work that tells us lots of info about all connected machines. i did a quick search for IP and Machine Name, found who the machine is registered to and disconnected their port at the switch. Never had to leave my chair and the crisis was diverted in about 60 seconds. Then of course, I have to go out and investigate the machine, and powercycle all the printers that were jacked up.
  • TBev0TBev0 Member Posts: 23 ■□□□□□□□□□
    What happens when you pickup an address from this dhcp server and then put its address into your web browser or try to connect via ssh/telnet?

    Also out of curiosity how many hosts do you have on your network?
  • MAC_AddyMAC_Addy Member Posts: 1,740 ■■■■□□□□□□
    If I were you I'd plug in a spare computer/laptop and get the address via DHCP... login to the rogue router (I can almost guarantee that it's setup with the default username/password) and disable DHCP, this will solve the first issue. Then after that, go around with your taser and find the culprit.
    2017 Certification Goals:
    CCNP R/S
  • TBev0TBev0 Member Posts: 23 ■□□□□□□□□□
    try 'arp -a' from a cmd prompt to get the MAC address once you've picked up a dhcp address from this server. Then if you have cisco switches you could run 'show mac-address-table' to see what port its plugged into on the switch then trace back to the patch port number.
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    Agree with above.
  • tdeantdean Member Posts: 520
    hey guys, thanks for all the suggestions. I lucked out on this one.. it was an app on our network monitoring machine. i suspected it for some reason and unplugged it... released my ip on my laptop and i'm getting it from the router. i think it was the tftp or ip scan software doing it because thats the only thing that changed.

    thanks again guys, i'll be saving these notes for another time!
  • demonfurbiedemonfurbie Member Posts: 1,819 ■■■■■□□□□□
    hopefully their wont be another time
    wgu undergrad: done ... woot!!
    WGU MS IT Management: done ... double woot :cheers:
Sign In or Register to comment.