Tuesday, 21 May 2013

Finding rouge DHCP servers on a network in Linux

Need a way to debug DHCP server traffic on your network, no problem! After going through a list of sites to find an easy way to debug DHCP traffic I finally found dhcpdump:

apt-get install dhcpdump (assuming your running an apt distro)

To dump the traffic: dhcpdump -i eth1
To generate some DHCP traffic: dhclient -n eth0

Sample output when a server replies (server IP and many other details included):

TIME: 2013-05-21 12:59:07.452
IP: 172.18.2.254 (0:4:ed:11:e3:a6) > 255.255.255.255 (ff:ff:ff:ff:ff:ff)
OP: 2 (BOOTPREPLY)
HTYPE: 1 (Ethernet)
 HLEN: 6
 HOPS: 0
  XID: f4bf0761
 SECS: 0
 FLAGS: 0
CIADDR: 0.0.0.0
YIADDR: 172.18.2.103
SIADDR: 0.0.0.0
GIADDR: 0.0.0.0
CHADDR: 00:18:4d:f0:b7:f4:00:00:00:00:00:00:00:00:00:00
 SNAME: .
 FNAME: .
OPTION:  53 (  1) DHCP message type         5 (DHCPACK)
OPTION:  54 (  4) Server identifier         172.18.2.254
OPTION:  51 (  4) IP address leasetime      259200 (3d)
OPTION:   1 (  4) Subnet mask               255.255.255.0
OPTION:   3 (  4) Routers                   172.18.2.254
OPTION:   6 (  4) DNS server                172.18.2.254

No comments:

Post a Comment