To expand on l0c0b0x‘s comment about using
bootp.type == 2as a filter. The bootp.type filter is only available in Wireshark/tshark. It is not available in tcpdump which the contextual location of his comment inclined me to believe.
Tshark works perfectly for this.
We have our network divided up into numerous broadcast domains, each with their own Linux-based probe with a point of presence on the “local” broadcast domain and on an administrative subnet in one fashion or another. Tshark combined with ClusterSSH allows me to easily look for DHCP traffic or (anything else for that matter) on the further flung corners of the network.
This will find DHCP replies using Linux:
# ifconfig ethX promisc # tshark -i ethX -n port 68 -R 'bootp.type == 2'
Detect Rogue DHCP server using MS Rogue DHCP Server detection tool
Tools below are provided by the DHCP team of Microsoft –
Spot Rogue DHCP server using Wireshark
4. acknowledge / DORA
- Install wireshark & restart machine
- Start wireshark with no capture filter
- Go to the command prompt and type ipconfig /release and ipconfig /renew
- Save the trace file as as roguedhcp.pcap
- Open the capture file – Add filter: bootp
- Target DHCP Offer Packet – this will be the template for display filter
Select the line with “DHCP Offer – Transaction ID xxx”
View -> Packet Details
Expand “Bootstrap Protocol”
move down, find and expand “Option: (53) DHCP Message Type”
right click on “DHCP: Offer (2) -> Apply as Filter -> Selected
- On the menu bar, Statistics -> Endpoints
filter will now become – bootp.option.dhcp == 2
Select Tab “IPv4” and tick “Limit to display filter”, then IPv4 addresses displayed will be limited to the filter we selected earlier
- There may be multiple unicast IPs and single broadcast IP (ie 255.255.255.255), the unicast IPs should be the IPs of DHCP servers trying to allocate IP to endhosts in the subnet
Prevent Rogue DHCP server by DHCP snooping
- Packet Pushers – CCNP Studies: Configuring DHCP Snooping — http://packetpushers.net/ccnp-studies-configuring-dhcp-snooping/
- Cisco – DHCP Snooping (on Catalyst 6500 Release 12.25X) http://www.cisco.com/en/US/docs/switches/lan/catalyst6500