Finding rouge dhcp server

[Mturner]

Hi all

i think we may have another dhcp server sitting on our network at some point during the day, probally a member of staff bringing in a laptop with ics enabled or something simular, is there tools avalible which can search for dhcp servers and give its netbios name or anything like that?

tia

Marc

 

[itsp1965]

I don't know of any specific tools, but have you tried performing a port scan on your subnet to look for machines that have the following ports opened?

DHCP Lease UDP:67,68
DHCP Manager TCP:135

 

[Mturner]

That may a good start, thanks for that ill give it a try monday

 

[ProfFate]

I've known people who have used SNORT to detect these kinds of things. I had forgotten about SNORT, until you asked this question. I might have to look into it again myself.

http://www.snort.org/

MikeL

 

[GlenJohnson]

What makes you think you have a rouge server?

Glen A. Johnson
"Fall seven times, stand up eight."
Proverb

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

 

[bcastner]

http://support.microsoft.com/?kbid=303351

 

[Beboen]

Use network monitor to scan for dhcp packets. Why do you think there's a rogue dhcp?