How to detect multiple dhcp servers on network using wireshark and Ubuntu

We just had a problem with our DHCP server and there seems to be another dhcp server on the network. To find this I used Wireshark on my Ubuntu machine to find the problem.

1 – Install wireshark

apt-get install wireshark

2 – Launch wireshark with permissions to read the network interfaces.
You can either do this by runnning Wireshark as root (which is really not recommended but a quick hack if you need to get the job done). Or you can give your user permission to read the interfaces which is much better in the longterm.

2.1 – To give your user permission to capture network interfaces do the following:

sudo dpkg-reconfigure wireshark-common

This will ask you the following question. Answer Yes.

giving_wireshark_permission_to_read_network_interfaces

This creates a group called wireshark and anyone in this group can capture network data on the interface.

2.2 – Add you user the wireshark group.

sudo adduser $USER wireshark

2.3 – Logout and log back in
For you group permissions to change – you need to log out and then log in again. Alternatively, you can just restart your computer.

3 – Start Capturing With Wireshark
Launch Wireshark either from your launcher or using terminal “wireshark”. On the start screen you should see a list of interfaces on the left hand side. Select the interface you would like to capture data from and press the start button.

The Wireshark Network Analyzer   [Wireshark 1.10.2  (SVN Rev 51934 from -trunk-1.10)]_010

4 – Filtering For “bootp” messages
You can then filter Wireshark just to show dhcp messages by filtering for bootp message but typing “bootp” and clicking apply.

Capturing from eth0    [Wireshark 1.10.2  (SVN Rev 51934 from -trunk-1.10)]_011

5 – Find all the offer packets
If you have multiple DHCP servers – you will have multiple offer packets. You can filter the messages by bringing up the packet details

click View -> Packet Details

This will show the packet details below the message list like so.

Capturing from eth0    [Wireshark 1.10.2  (SVN Rev 51934 from -trunk-1.10)]_012

You should then go into “Bootstrap Protocol” -> “Options: DHCP Message Type” and right click on “DHCP: Offer” and select “Apply As Filter”.

This will then filter all dhcp offers and you will be able to see what servers are responding on the system.

Great YouTube Video Tutorial
There is also a good wireshark dhcp tutorial on youtube which shows this in action. It is a Windows focused tutorial but explains the other general concepts really well.

I hope this helps someone. Let me know if you have any suggestions of how this tutorial can be improved.