Question

Locked

rogue dhcp server

By neal ·
In our satelite office we have about 50 machines on the local LAN. Out of nowhere it appears that someone inadvertantly enabled ics which is causing havock with our dhcp server. I'm wondering if there is a utilitie to locate what machine is running the ics so that I can disable it. I am not onsite every day as it is 2 hours away from our main office. Any advice would be greatly appreciated.

This conversation is currently closed to new comments.

8 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Rogue DHCP server...

by scott_heath In reply to rogue dhcp server

If a device picks up an IP from this rogue server is will have the IP of the dhcp server listed when you run 'ipconfig /all'. run 'nbtstat -A <ipaddress>' and you will have the hostname of the offending computer.

Collapse -

What if culprit is non windows system

by mahesh In reply to Rogue DHCP server...

What if culprit is non windows system ?

I came across this problem. But manually solved on disabling services on Solaris Server.

Collapse -

Excellent point...

by scott_heath In reply to What if culprit is non wi ...

The quickest way to find the source IP of the server is to use the ipconfig /all method. True, if the rogue device does not run NetBIOS (a non-windows box) nbtstat will not help you. Another alternative is to go to the switch that is routing the subnet/vlan that the rogue device is on and find the blade and port that has that IP communicating on it. Then back trace the cable to the patch panel. If your building is well documented or at least the jacks are number consecutively you should be able to locate the rogue device rather quickly.

Collapse -

or Rogue router?

by 1bn0 In reply to rogue dhcp server

Someone may have tried installing a home wireless router so the could use their notebook with a wireless card on the network.
The router would be acting as a second DHCP server as well, causing the same type of problem.

Collapse -

May be cazing dual NIC's on dhcp server

by mahesh In reply to rogue dhcp server

If you have teamed NIC's or 2 separate NIC's (even if one is disconnected and not disable and both are on same subnet can create such havoc. Pls check it in event viewer in details. Disable teaming or disable unused nic port on dhcp server.

Collapse -

found solution thanks for all your help

by neal In reply to May be cazing dual NIC's ...

Hey everyone thanks for everyone's input this was a very odd problem. I found the mac address of the "dhcp server" using ethereal and then was able to determine that it belonged to someones laptop in the organization. Someone had by accident or ignorance enabled ICS on the 1394 connection. This was the cause of all the problems. once i had her disable that everything was back to normal.

Collapse -

DHCP Sentry = Detect Rogue DHCP Servers

by chip In reply to rogue dhcp server

You can also use a tool called DHCP Sentry to detect rogue DHCP servers. It also resolves MAC of rogue to aid in detection and removal.

http://www.sqlsecurity.com/Tools/CommercialTools/tabid/71/Default.aspx

Back to Networks Forum
8 total posts (Page 1 of 1)  

Hardware Forums