Unknown local router stealing DHCP requests [duplicate]

If you have a Apple handy, do a Tcp Dump:

tcpdump -ni en0

Then plug in the Ethernet port: Look for the DHCP reply:

15:40:23.226008 IP 10.0.150.150.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300

Assuming the wrong DHCP server has responded you now have its IP: 10.0.150.150


Next you need the DHCP server's mac address:

arp -an | grep 10.0.150.150

Will give you the mac address of the DHCP router

? (10.0.150.150) at c0:9c:33:b1:b3:a1 on en0 ifscope [ethernet]

Assuming you have managed switches you can log in and dump the mapping of mac's to ports Simply unplug the offender and wait until someone comes to tell you they are down.


If your switches are not managed its well worth upgrading, but if that's not an option just ping the IP from the earlier step:

ping 10.0.150.150

Pull wires until the ping stops.


You can track down the user using the techniques others have mentioned, but even better would be if you can prevent this from ever happening again.

For example, on a Cisco switching infrastructure you should be able to use DHCP snooping to prevent this happening in future. Other switch brands may have similar features.


A normal user physically connected on the network can setup a DHCP server using (example) Windows Server 2008 on a VmWare machine from his laptop and steal the DHCP request of other clients.

If this is the case, in ipv4 properties change the alternate DNS IP address to the real DNS server.