Recipe 14.18. Finding the DHCP Servers on a SubnetProblemYou want to find the DHCP Servers that are active on a particular subnet. This is useful if you believe there is a rogue DHCP Server causing problems for your clients. SolutionThe dhcploc command lets you see a computer's DHCP traffic for a broadcast domain. Simply pass in the IP address of the machine from which you are running the command: > dhcploc 192.168.32.24 You will not see any output from the command until it captures some DHCP traffic. You can try running ipconfig /renew to force some traffic to be generated. You can also press the "d" key when you have dhcploc running to have it generate a DISCOVER message. Here is some sample output from the command: 9:34:58 (IP)0.0.0.0 NACK (S)192.168.31.84 *** 9:36:38 (IP)192.168.190.130 OFFER (S)192.168.12.226 *** 9:36:38 (IP)192.168.196.231 ACK (S)192.168.13.53 9:36:53 (IP)192.168.196.231 ACK (S)192.168.13.53 9:37:05 (IP)192.168.196.234 OFFER (S)192.168.13.53 9:37:05 (IP)192.168.193.232 OFFER (S)192.168.12.198 9:37:06 (IP)192.168.190.132 OFFER (S)192.168.12.221 *** The first column contains a timestamp, the second column is the IP address of the target computer, the third is the DHCP request type, the fourth is the IP address of the DHCP Server, and the fifth is a flag that indicates whether the DHCP Server is authorized. If it is not authorized, you'll see three stars (***). In the previous output, you can see that 192.168.31.84, 192.168.12.226, and 192.168.12.221 are all unauthorized DHCP Servers. dhcploc can also send alerts if it detects an unauthorized server. This allows you to start dhcploc, leave it running, and let it proactively notify you when it discovers an unauthorized server. To do so, specify the /a: option followed by the list of users to alert as shown here: > dhcploc /a:"rallen" 192.168.32.24 Discussiondhcploc works by capturing all of the DHCP traffic it sees on the network. Since most DHCP traffic is sent via broadcast, every computer in the broadcast domain (e.g., all computers connected to a hub on a local segment), can look at DHCP traffic. Most computers simply discard the traffic unless it is destined for them, but dhcploc captures all DHCP traffic.
See AlsoRecipe 14.2 and MS KB 186462 (DHCPLOC Should Not Be Run from DHCP Servers) |