We just had a problem with our DHCP server and there seems to be another dhcp server on the network. To find this I used Wireshark on my Ubuntu machine to find the problem.
1 – Install wireshark
apt-get install wireshark
2 – Launch wireshark with permissions to read the network interfaces.
You can either do this by runnning Wireshark as root (which is really not recommended but a quick hack if you need to get the job done). Or you can give your user permission to read the interfaces which is much better in the longterm.
2.1 – To give your user permission to capture network interfaces do the following:
sudo dpkg-reconfigure wireshark-common
This will ask you the following question. Answer Yes.
This creates a group called wireshark and anyone in this group can capture network data on the interface.
2.2 – Add you user the wireshark group.
sudo adduser $USER wireshark
2.3 – Logout and log back in
For you group permissions to change – you need to log out and then log in again. Alternatively, you can just restart your computer.
3 – Start Capturing With Wireshark
Launch Wireshark either from your launcher or using terminal “wireshark”. On the start screen you should see a list of interfaces on the left hand side. Select the interface you would like to capture data from and press the start button.
4 – Filtering For “bootp” messages
You can then filter Wireshark just to show dhcp messages by filtering for bootp message but typing “bootp” and clicking apply.
5 – Find all the offer packets
If you have multiple DHCP servers – you will have multiple offer packets. You can filter the messages by bringing up the packet details
click View -> Packet Details
This will show the packet details below the message list like so.
You should then go into “Bootstrap Protocol” -> “Options: DHCP Message Type” and right click on “DHCP: Offer” and select “Apply As Filter”.
This will then filter all dhcp offers and you will be able to see what servers are responding on the system.
Great YouTube Video Tutorial
There is also a good wireshark dhcp tutorial on youtube which shows this in action. It is a Windows focused tutorial but explains the other general concepts really well.
I hope this helps someone. Let me know if you have any suggestions of how this tutorial can be improved.
Tshark usage would be nice
I don’t have much experience of this. How would you do it with tshark?