Find the DHCP servers on your net

Categories: sysadmin

How often does this go wrong: multiple dhcp servers on your subnet? Because routers, accesspoints, modems boxes ALL have dhcp servers nowadays, a double or triple dhcp server in your network is not uncommon. But tools to identify which dhcp servers are available are not easy to find.

To identify that something might be wrong, you can use ipconfig on a windows cmd box:


C:\Documents and Settings\rvw.KOEKJE>ipconfig /all

Windows IP-configuratie

Ethernet-adapter LAN-verbinding:

Standaardgateway. . . . . . . . . : 10.237.147.2
DHCP-server . . . . . . . . . . . : 10.237.147.50
DNS-servers . . . . . . . . . . . : 213.51.129.37
213.51.144.37
etc

This shows you your CURRENT dhcp server, but if there are multiple dhcp servers running by accident, you will get an IP address from a RANDOM server!

Same with NETSH. The command NETSH DIAG SHOW DHCP only shows your CURRENT dhcp server and does not do a scan.
Even utilities that claim to do this, only show one or only the current dhcp. DHCPexplorer from nsasoft is such a fake application.

Fortunately there is a tool that comes standard with windows, called DHCPLOC. If it is not installed, you can find it on your windows CD under the \support\tools directory OR get it from
here

Give your current IP address as an argument to dhcploc, and press “d” (discover). Press d a few times to get a good view.


C:\WINDOWS>dhcploc 10.237.147.101
15:28:30 OFFER (IP)10.237.147.199 (S)10.237.147.50 ***Form
15:28:32 OFFER (IP)10.237.147.170 (S)10.237.147.1 ***
15:28:32 OFFER (IP)10.237.147.199 (S)10.237.147.50 ***
15:28:34 OFFER (IP)10.237.147.199 (S)10.237.147.50 ***
15:28:35 OFFER (IP)10.237.147.170 (S)10.237.147.1 ***
15:28:35 OFFER (IP)10.237.147.199 (S)10.237.147.50 ***
15:28:36 OFFER (IP)10.237.147.170 (S)10.237.147.1 ***
15:28:37 OFFER (IP)10.237.147.199 (S)10.237.147.50 ***
There! there is a rogue dhcp server running at IP 10.237.147.1 !!
So you know.

(the rogue dhcp server turned out to be a netopia dsl router, which only changes dhcp server settings after a REBOOT! Shame!)

Edit:
Another nice tool is DHCPFIND.EXE, from roadkil. Its free and works, and is a GUI tool, not a commandline tool. Only problem is that it does not show the dhcp server IP, so dhcploc is still the best utility for the job. If you want to try dhcpfind, look here

4 Responses to “Find the DHCP servers on your net”

  1. websitez 16 June 2012 at 02:25 #

    Terrific post however I was wanting to know if you could write a litte more on this topic? I’d be very thankful if you could elaborate a little bit further. Bless you!

  2. Boulder CO mold remediation 21 June 2012 at 11:33 #

    Do you mind if I quote a few of your posts as long as I provide credit and sources back to your website? My blog is in the exact same area of interest as yours and my visitors would genuinely benefit from a lot of the information you present here. Please let me know if this ok with you. Thanks!

  3. tanouye brown 26 September 2012 at 01:07 #

    hession wright

  4. Gino 17 January 2013 at 16:48 #

    I’m all over this. Good stuff – I’m pretty in-line with most of the things you stated. Going to show this along with my friends that are as well in to this.

Leave a Reply