Help me find a rogue DHCP server!

[kt]

I know we have a rogue DHCP server on one of our satellite office. But the problem is I am troubleshooting this with one of the IT guy at remote office and we are unable to find the physical location of that server. Is there any tool that will perhaps track down the MAC address of the interface that the DHCP server is running on? We used "dhcploc.exe" to figure out the IP address of the rogue DHCP server, but that doesn't really help us much. Any ideas?

The remote office is pretty small, only about 15 network devices connected to the network. The switch is an unmanaged switch, so we don't have the option to disable the rogue DHCP server with ACL permission.

 

[Czar]

You can use arp -a and then the ip address on the server to find the mac address. (first ping the server, then arp it)

Then if you had a cisco switch you could do #show mac-address-table dynamic address 001e.0b33.bf29 to find what port its connected to... If you can get your hands on a cisco switch for the remote office for an hour or so you should be able to find it.

 

[vorgusa]

umm if you only have 15 devices on your network, wouldn't it be fairly easy to get the guy to go to the 15 locations and see whats plugged in?

ohh yeah.. do you suspect that it is an employee with a router? if so you might be able to find it with a laptop with a wifi card (since most consumer routers are wireless), since you do not have a cisco switch

 

[spidey07]

You could also look at the vendor code of the mac address to see who makes it. Without security or management features in the switch you'll have to physicall hunt around to find it. Or you could do the brute force thing - doing DHCP renews and then unplugging every node one at a time to see which cable it is. Then look at the neatly wired and properly labeled patch panel, then reference the wiring diagrams to find out exactly where the other end is.