A couple notes: When this happens, you can be sure the rogue DHCP server is somewhere within your building, due to the way routing works on campus. There are a couple minor exceptions, but for a general rule, that works. If you're unable to locate it given the information returned, do call the ACNS Help Desk at 432-6200, and they can enter the information in a problem report. They're pretty familiar with the process - we have received at least 40 such complaints over the past couple weeks, including 2-3 in staff/academic areas. We can often confirm the presence of a rogue server through our logs, and can trace it to the switch port within the building, at least for the buildings where we manage the internal network, which is a large majority. Doug On Wed, Aug 31, 2005 at 05:26:28PM -0400, STeve Andre' wrote: > Thanks to all for their suggestions. For the life of me, I did not see the > line in ipconfig that showed where the DHCP server was. Now that I > have that, I can hunt it down, next time it appears. It's gone, now... > > Thanks again for all the ideas. > > --STeve Andre > Political Science > > On Tuesday 30 August 2005 17:50, George J. Perkins wrote: > > On Tue, 30 Aug 2005, STeve Andre' wrote: > > > A user told me they couldn't get on the net after lunch today. > > > When they booted up they wern't on the net. > > > > > > Looking at the machines IP address I see 192.168.1.x. Doing > > > a release and then renew usually, but not always results in getting > > > the proper 35.10 address. > > > > > > I'll bet that its a student machine, or someone installed a wireless > > > access point backwards, etc. My question is, whats the best way > > > to hunt it down? > > > > > > Thanks, STeve Andre' > > > Political Science > > > > It depends on what OS the mis-directed system is running. > > > > If it is Windows XP, open a text window (Start > Run > "cmd", if it's not > > in a menu somewhere) and type "ipconfig /all" -- along with the bogus IP > > address it's received, there will be an entry for "DHCP Server" -- the IP > > address of the system which gave it that IP address. You may then possibly > > be able to ping that IP address, and if it responds, the MAC address may be > > in your arp table ("arp -a", both under WinXP and Linux/ Unix). Doug > > Nelson or other ACNS network folks might then be able to tell where in your > > building (plus or minus) this MAC address is connected. This won't always > > work for various reasons, but it works often enough to be worth a try. > > > > I think Windows 2000's "ipconfig /all" also lists "DHCP Server" but I have > > no readily available test system just now. > > > > There are DHCP tools available under Linux, one of which, "dhclient", has > > a debugging mode, set by command line flags, where it will send out a DHCP > > request and then lists the responses it gets without actually acting upon > > them. There may be other similar tools for Linux and for the various other > > BSD and Unix flavors. I found this handy once in a case where the campus > > DHCP server _usually_ beat the rogue DHCP server to issuing the address, > > so the false IP assignments were really rare and random, but this tool > > allowed me to see both responses, quick (campus) and slow (rogue), for a > > given DHCP request. -- Doug Nelson, Network Manager | [log in to unmask] Academic Computing and Network Services | Ph: (517) 353-2980 Michigan State University | http://www.msu.edu/~nelson/