14.18. Finding the DHCP Servers on a Subnet
You want to find the DHCP Servers that are active on a particular subnet. This is useful if you believe there is a rogue DHCP Server causing problems for your clients.
The dhcploc command lets you see a computer's DHCP traffic for a broadcast domain. Simply pass in the IP address of the machine from which you are running the command:
> dhcploc 192.168.32.24
You will not see any output from the command until it captures
some DHCP traffic. You can try running
ipconfig /renew to force some traffic to be
generated. You can also press the "
d" key when you have dhcploc running to have it generate a
Here is some sample output from the command:
9:34:58 (IP)0.0.0.0 NACK (S)192.168.31.84 *** 9:36:38 (IP)192.168.190.130 OFFER (S)192.168.12.226 *** 9:36:38 (IP)192.168.196.231 ACK (S)192.168.13.53 9:36:53 (IP)192.168.196.231 ACK (S)192.168.13.53 9:37:05 (IP)192.168.196.234 OFFER (S)192.168.13.53 9:37:05 (IP)192.168.193.232 OFFER (S)192.168.12.198 9:37:06 (IP)192.168.190.132 OFFER (S)192.168.12.221 ***
The first column contains a timestamp, the second column is the IP address of the target computer, the third is the DHCP request type, the fourth is the IP address of the DHCP Server, and the fifth is a flag that indicates whether the DHCP Server is authorized. If it is not authorized, you'll see three stars (***). In the previous output, you can see that 192.168.31.84, 192.168.12.226, and 192.168.12.221 are all unauthorized ...