How do I stop Tcpdump

How do I find out if there is an unauthorized DHCP server on my network?


What is the best way to find out if there is an unauthorized DHCP server on my network?

I wonder how most administrators approach these types of problems. I found DHCP Probe by searching and thought about giving it a try. Does anyone have experience with it? (I'd like to know before I take the time to compile and install it).

Do you know of any useful tools or best practices for finding fake DHCP servers?





Reply:


One simple method is to run a sniffer like tcpdump / wireshark on a computer and send a DHCP request. If you see offers other than your real DHCP server, you know you have a problem.







To summarize and complement some of the other answers:

Temporarily disable your production DHCP server and see if other servers are responding.

You can find out the IP address of the server by running on a Windows computer, and you can find out the MAC address by looking for that IP address.

Run on a Mac (or en1). See http://www.macosxhints.com/article.php?story=20060124152826491.

The DHCP server information is usually located in / var / log / messages.

Of course, disabling your production DHCP server might not be a good option.

Use a tool that specifically searches for fake DHCP servers

See http://en.wikipedia.org/wiki/Rogue_DHCP for a list of tools (many of which were listed in other answers).

Configure switches to block DHCP offers

Most managed switches can be configured to prevent unauthorized DHCP servers:


dhcpdump, which takes the input form tcpdump and only displays DHCP-related packets. Helped me find rootkited Windows posing as fake DHCP on our LAN.


The Wireshark / DHCP Explorer / DHCP Probe approaches are suitable for one-off or regular checks. However, I would recommend looking into DHCP snooping support on your network. This feature provides constant protection against unauthorized DHCP servers on the network and is supported by many different hardware providers.

Here you can find the features specified in the Cisco documents.

• Checks DHCP messages received from untrusted sources and filters out invalid messages.

• Rate - Limits DHCP traffic from trusted and untrusted sources.

• Creates and maintains the DHCP Snooping Binding Database, which contains information about untrusted hosts with leased IP addresses.

• Uses the DHCP Snooping Binding Database to examine subsequent requests from untrusted hosts.



dhcploc.exe is the fastest and easiest way to run on Windows systems. It is available in the XP Support Tools. The support tools are located on every OEM / Retail XP hard drive, but can also be located on "recovery disks" provided by some OEMs. You can also download it from MS.

It's a simple command line tool. You lead dhcploc {yourIPaddress} and then press the 'd' key to find a fake To perform detection . If you run it without pressing a button, it will display and answer every DHCP request. Press 'q' to exit.





Scapy is a Python-based package building tool suitable for these sorting tasks. Here is an example of exactly how this can be done.





So expand the comment of l0c0b0x to use it as a filter. The bootp.type filter is only available in Wireshark / tshark. It's not available in tcpdump which led me to believe based on the contextual location of its comment.

Tshark works perfectly for this.

We have divided our network into numerous broadcast domains, each of which has its own Linux-based test and is present in one way or another in the "local" broadcast domain and an administrative subnet. With Tshark in combination with ClusterSSH, I can easily search for DHCP traffic or (whatever) in the further corners of the network.

This finds DHCP responses on Linux:




Once you discover that there is a fake DHCP server on the network, I figured out the fastest way to fix it.

Send an email to the entire company saying:

"Which of you added a wireless router to the LAN, you killed the internet for everyone else"

Expect an embarrassed response, or the conflicting device will quickly go away :)


Disable the main DHCP server and (re) configure a connection.

If you are given an IP address, you have a villain.

If you have Linux on hand, the standard DHCP client will tell you the IP address of the DHCP server (otherwise you can listen to the traffic to see where the DHCP response came from).




There are several options, if you are running a small network, the easiest is to turn off / disable / remove your DHCP server and then run ipconfig / renew or something similar on a client network.

Another option would be to use Wireshark Packet Capturer / Analyzer to examine your network traffic and find DHCP connections. There is a lab worksheet on how to do this from here.

There are also a number of applications that use DHCP Explorer and DHCP Probe that you mentioned in your original post.



You could ping your networks and then compare that to the number of DHCP leases issued by your DHCP server.

You need to have a general idea of ​​the number of static devices (router interfaces and printers) that easily skew that number. However, this should be a quick and accurate way to identify them across multiple networks.


on debian / ubuntu one also has the possibility to use and / or with the help of eg

Use dhcpdump:

  • 1.a) run in a shell (eth0 or the name of your interface)
  • 1.b) start in another shell (does not have to run successfully)
  • 1.c) Look in the output for information (it should be a nicely formatted, informative list with most of the details)

Option 2 if you don't want to use dhcpdump:

  • 2.a) run in a shell / window
    (optional: = deactivate timestamp // = deactivate name resolution, only IP address, no server names (use -nn for RHEL / Centos))
  • 2.b) start in another shell (does not have to run successfully)
  • 2.c) stop the running tcpdump ()
  • 2.d) Examine the /tmp/my_file.txt file with your favorite editor and look for things like: ".53" (the default DNS port) / "NX" / "CNAME" / "A?" / "AAAA" -

* sidenote: tcpdump and dhcpdump must probably be installed (e.g. :); dhcpdump depends on tcpdump


I recommend starting two terminals, one to monitor and one to send a request. Terminal1 shows the responses from all available DHCP servers including the MAC address. This example was run on Ubuntu:

Terminal1 (for monitoring):

sudo tcpdump -nelt udp port 68 | grep -i "boot. * reply"

tcpdump: Verbose output suppressed. Use -v or -vv for full protocol decoding monitoring on enp2s0, EN10MB of connection type (ethernet), acquisition size 262144 bytes 20: a6: 80: f9: 12: 2f> ff: ff: ff: ff: ff: ff, ethertype IPv4 (0x0800), length 332: 192.168.1.1.67> 255.255.255.255.68: BOOTP / DHCP, response, length 290 00: 23: cd: c3: 83: 8a> ff: ff: ff: ff: ff: ff , Ethernet type IPv4 (0x0800), length 590: 192.168.1.253.67> 255.255.255.255.68: BOOTP / DHCP, response, length 548

Terminal2 (to send a request):

sudo nmap --script broadcast-dhcp-discover -e eth0

Starting Nmap 7.01 (https://nmap.org) at 2019-10-13 21:21 EEST script results before the scan: | broadcast-dhcp-discover: | Answer 1 of 1: | IP offered: 192.168.1.228 | DHCP message type: DHCPOFFER | IP address lease time: 2h00m00s | Server ID: 192.168.1.1 | Subnet mask: 255.255.255.0 | Router: 192.168.1.1 | _ Domain Name Server: 8.8.8.8, 8.8.4.4 WARNING: No destinations were specified, therefore 0 hosts were scanned. Nmap done: 0 IP addresses (0 hosts) were scanned in 0.94 seconds

This monitoring terminal is only required to display all responses (nmap can only display the first response).

We use cookies and other tracking technologies to improve your browsing experience on our website, to show you personalized content and targeted ads, to analyze our website traffic, and to understand where our visitors are coming from.

By continuing, you consent to our use of cookies and other tracking technologies and affirm you're at least 16 years old or have consent from a parent or guardian.

You can read details in our Cookie policy and Privacy policy.