Locate rogue DHCP server [duplicate]

Try to nmap it using the -O to detect the operating system, may give you a better idea of what server it is? Also running a standard port scan might help figure out what it is

The fact that you can't ping it isn't a problem.

(This procedure is mostly for managed switches, in the case of your dumb switches, it isn't as helpful, since you can't inspect the cam table... but anyway.)

1. run ipconfig /all(or look at syslog), note the IP address listed for "DHCP Server". Generally this is the same as the default gateway.
2. attempt to ping this ip address, ignore the result.
3. run arp -a. The mac address listed for the IP is your rogue DHCP server.

So, in your case, you can't follow this up with locating the switchport and disabling it, but you could have at least looked up the mac address vendor and would have found that the vendor was something like vmware or virtualbox.

If you have a box lying around, you can install https://roguedetect.bountysource.com/ on it, which will notify you if a problem like this occurs in the future.

Well, you can always try to ping the crap out of it and check the blinky lights on the routers. =P

Does traceroute show you anything?

I know this has already been solved but another means, when you really can't find the machine (knowing it's a VM doesn't tell you what host it's on) is to keep sending it DHCP requests and unplug each cable in turn till it shuts up. Sometimes you just have to get back to crude basics.