Rogue DHCP Server Can’t be found

On one of the affected Windows clients start a packet capture (Wireshark, Microsoft Network Monitor, Microsoft Message Analyzer, etc.), then from an elevated command prompt run ipconfig /release. The DHCP client will send a DHCPRELEASE message to the DHCP server that it obtained it’s ip address from. This should allow you to obtain the MAC address of the rogue DHCP server, which you can then track down in your switch MAC address table to find out which switch port it’s connected to, then trace that switch port to the network jack and the device plugged into it.

Leave a Comment