DHCP

[arpicom]

In my network somewhere I have a machine that is acting like a ras server and it is getting all the free addresess from my win 2000 dhcp server. How do I find out which that computer is? I want to stop that ras service or to set up the dhcp server to deny such requests.

Thanks,
Dan

 

[elgrandeperro]

Of the machines that got an address from the bogus server, if you look at, from the command prompt:

>ipconfig /all
and look at the field called "DHCP Server"

that should be the IP of the offender.

Looking at the ARP table, you an get the MAC address.
Most routers/switches can identify the port from the MAC.

gene

 

[arpicom]

Maybe I wasn't clear enough...
There is no machine that has one of those IP addresses I am talking about. The issue is...a machine somewhere is 'reserving some addresses' besides its own for something else (don't know what for) and it is getting them from my dhcp server that serves the network. If I delete those addresses in dhcp and restart dhcp they are back again and I have 1 or two addresses left to lease (or none).

There is no MAC address for those IP addresses either. It only shows:
3139322e3136382e312e312e31323900
3139322e3136382e312e312e31333900
3139322e3136382e312e312e31343900
3139322e3136382e312e312e31353900
............. in the MAC column.

 

[arpicom]

In my network somewhere I have a machine that is acting like a ras server and it is getting all the free addresess from my win 2000 dhcp server. How do I find out which that computer is? I want to stop that ras service or to set up the dhcp server to deny such requests.


There is no machine that has one of those IP addresses I am talking about. The issue is...a machine somewhere is 'reserving some addresses' besides its own for something else (don't know what for) and it is getting them from my dhcp server that serves the network. If I delete those addresses in dhcp and restart dhcp they are back again and I have 1 or two addresses left to lease (or none).

There is no MAC address for those IP addresses either. It only shows:
3139322e3136382e312e312e31323900
3139322e3136382e312e312e31333900
3139322e3136382e312e312e31343900
3139322e3136382e312e312e31353900
............. in the MAC column.

Any idea how to identify who that machine is?

 

[elgrandeperro]

I would run ethereal on the DHCP server to see the MAC of the requestor.

gene

 

[arpicom]

And look for what?

 

[elgrandeperro]

A DHCP request packet.

gene

 

[arpicom]

If you have a minute please give me some details. I can't find how to check for dhcp requests in ethereal.

 

[elgrandeperro]

On the info field, it should be "DHCP Discover" "DHCP Request".

The source should be 0.0.0.0, the destination 255.255.255.255. In this packet should be the true Ethernet Mac address by expanding the fields on the frame, it should have Src:a.b.c.d.e.f Dst:a.b.c.d.e.f

gene

 

[arpicom]

I know that, but how do I filter the packets to get the right one?

 

[arpicom]

wooo, here is the funny part. The problem comes from the DC itself. If I unplug the network cable and I restart the dhcp service I have the same problem. RAS is disabled, looked around and I really don't know where else to look for this issue.
Any idea?