14.18. Finding the DHCP Servers on a Subnet

Problem

You want to find the DHCP Servers that are active on a particular subnet. This is useful if you believe there is a rogue DHCP Server causing problems for your clients.

Solution

The dhcploc command lets you see a computer's DHCP traffic for a broadcast domain. Simply pass in the IP address of the machine from which you are running the command:

> dhcploc 192.168.32.24

You will not see any output from the command until it captures some DHCP traffic. You can try running ipconfig /renew to force some traffic to be generated. You can also press the "d" key when you have dhcploc running to have it generate a DISCOVER message.

Here is some sample output from the command:

9:34:58 (IP)0.0.0.0        NACK      (S)192.168.31.84     ***
9:36:38 (IP)192.168.190.130 OFFER     (S)192.168.12.226   ***
9:36:38 (IP)192.168.196.231 ACK       (S)192.168.13.53
9:36:53 (IP)192.168.196.231 ACK       (S)192.168.13.53
9:37:05 (IP)192.168.196.234 OFFER     (S)192.168.13.53
9:37:05 (IP)192.168.193.232 OFFER     (S)192.168.12.198
9:37:06 (IP)192.168.190.132 OFFER     (S)192.168.12.221   ***

The first column contains a timestamp, the second column is the IP address of the target computer, the third is the DHCP request type, the fourth is the IP address of the DHCP Server, and the fifth is a flag that indicates whether the DHCP Server is authorized. If it is not authorized, you'll see three stars (***). In the previous output, you can see that 192.168.31.84, 192.168.12.226, and 192.168.12.221 are all unauthorized ...

Get Windows Server Cookbook now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.