How to find other illegal DHCP servers in the Network

Article Title: how to find other illegal DHCP servers in the network. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.

Http://blog.platinum.net.cn/index.php? Op = ViewArticle & articleId = 78 & blogId = 1

Yesterday, heavy snow (nickname of a cu id in QQ) asked a question in the group. Some of them had their own DHCP servers, it disrupted the allocation of DHCP in the entire network. Because the vswitch does not have the management function, it is difficult to handle it. Some people even have the idea of "pulling the network cable" (who knows it, it is also a cu id)

After thinking, I came up with a clever way to find other illegal DHCP servers in the network. After the test, I wrote it out and shared it with you.

Because the DHCP protocol is Layer 2, the source and destination IP addresses of the illegal DHCP server in the network cannot be found. If there are multiple DHCP servers in the network at the same time, however, if your switch does not prevent the release of the DHCP protocol, the network is very dangerous (this is also the case in my community. If I set up DHCP, I will see/var/lib/dhcp/dhcpd. leases sees many assigned IP addresses)

We can use tcpdump to capture packets to determine the MAC address of the other Party. If a MAC address is available, tcpdump can capture three layers of packets, only the IP header and other layer-4 headers (such as TCP/UDP) can be seen)

Tcpdump contains the-e parameter-e Print the link-level header on each dump line.

This is the key, and another key part is port, because the dhcp protocol will use UDP/67. It is easy to understand these two points. Capture packets and check the MAC.

If you have a MAC address, you can use arp-n to view its IP address. Next, block the MAC address on the gateway and let him "surrender". ^_^

CODE: [Copy to clipboard] [root @ platinum root] # tcpdump-e-I eth1-nn port 67-c 3 2> & 1 | awk '/bootp/{print $2" -->; "$3} '0: 0c: 85: ad: e5: af --> ff: ff e7: 0a: 19: 80: 03: 09 --> 0: 0c: 85: ad: e5: af 0: 0c: 85: ad: e5: af --> e7: 0a: 19: 80: 03: 09 [root @ platinum root] #