Spot Rogue DHCP Server on Linux

Extract from – http://serverfault.com/questions/8526/how-do-i-find-if-there-is-a-rogue-dhcp-server-on-my-network

To expand on l0c0b0x‘s comment about using bootp.type == 2 as a filter. The bootp.type filter is only available in Wireshark/tshark. It is not available in tcpdump which the contextual location of his comment inclined me to believe.

Tshark works perfectly for this.

We have our network divided up into numerous broadcast domains, each with their own Linux-based probe with a point of presence on the “local” broadcast domain and on an administrative subnet in one fashion or another. Tshark combined with ClusterSSH allows me to easily look for DHCP traffic or (anything else for that matter) on the further flung corners of the network.

This will find DHCP replies using Linux:

# ifconfig ethX promisc
# tshark -i ethX -n port 68 -R 'bootp.type == 2'

Detect, Spot & Prevent Rogue DHCP server in your network

Detect Rogue DHCP server using MS Rogue DHCP Server detection tool

Tools below are provided by the DHCP team of Microsoft –
http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

Spot Rogue DHCP server using Wireshark

DHCP prcoess
1. discover
2. offer
3. request
4. acknowledge / DORA

  1. Install wireshark & restart machine
  2. Start wireshark with no capture filter
  3. Go to the command prompt and type ipconfig /release and ipconfig /renew
  4. Save the trace file as as roguedhcp.pcap
  5. Open the capture file – Add filter: bootp
  6. Target DHCP Offer Packet – this will be the template for display filter
    Select the line with “DHCP Offer – Transaction ID xxx”
    View -> Packet Details
    Expand “Bootstrap Protocol”
    move down, find and expand “Option: (53) DHCP Message Type”
    right click on “DHCP: Offer (2) -> Apply as Filter -> Selected
  7. On the menu bar, Statistics -> Endpoints
    filter will now become – bootp.option.dhcp == 2
    Select Tab “IPv4” and tick “Limit to display filter”, then IPv4 addresses displayed will be limited to the filter we selected earlier
  8. There may be multiple unicast IPs and single broadcast IP (ie 255.255.255.255), the unicast IPs should be the IPs of DHCP servers trying to allocate IP to endhosts in the subnet

Prevent Rogue DHCP server by DHCP snooping