Help with Rougue DHCP/Computer Giving Out IPs

Cheeseluigi · Sep 25, 2013

I moved into university recently and had my internet set up, within a day the IT department shut off my ethernet port as they tracked IP's being handed out/assigned from there. It turns out that it's only my computer's Mac Address that is doing it, and not my roomates so the issue is not with our GigaFastEthernet EZ500-S ethernet hub.

I have looked all over google and anywhere I cannot seem to find a similar problem, the IT department basically will not let me access the internet until this rogue DHCP is fixed. I have scanned my computer with Kaspersky Pure 3.0 and it did not detect any viruses, I uninstalled Hamachi as well before it happened for the last time.

My computer is running Windows 7.

Being able to fix this is my #1 priority so any and all help would be very greatly appreciated! If you need anything, info, etc, please ask. This also never happened before with my previous in home Ethernet connection.

bill001g · Sep 26, 2013

A normal windows pc will not run as a dhcp server...unless you loaded ICS or something. A virus scanner will not find something like ICS or other networking software since you would have intentionally installed it. This is mostly caused by a router being plugged in backwards.

The university must have very old equipment. Most newer equipment has a feature called DHCP snooping designed to solve exactly this issue

Cheeseluigi · Sep 26, 2013

bill001g :

The problem is they told me the same thing but there is no router that we're plugging in. It's just the Ethernet port to the hub and our computers to the hub. Although when I plugged my computer in directly they still had the same issue. So it's not the hub I think. I'll call them today and ask if they can describe the issue that's occurring from their end.

bill001g · Sep 26, 2013

load wireshark on your machine you can see every packet it sends or receives it should be pretty obvious if you are sending responses to DHCP

Cheeseluigi · Sep 27, 2013

bill001g :

http://imgur.com/PiY7n30
I ran wireshark for awhile before they shut down my port again and this is what I was mostly seeing coming from my computer's IP and MAC address.

bill001g · Sep 27, 2013

Sorted like that it pretty much just shows that mac if it yours is just sending out arps. It is somewhat strange that you see 192.168.1.107 in the arp entries.

I would put the string bootp in the filter box. this will limit the display to only those packets they are complaining about. If you do not see bootp packets then it is not your machine causing the issue....you may see requests from other machines but as long as your machine does not send a offer back it is not you.

Cheeseluigi · Sep 27, 2013

bill001g :

I did just that and this is what I saw http://m.imgur.com/PiY7n30
Mostly informs and requests no offers but I did see those two instances of acks and there were two more that occurred earlier in the log. Is this what I should expect or does this show what's wrong?

bill001g · Sep 27, 2013

You linked the same file I think but if your did not see a DHCP offer from your machine after it received a broadcast request then you machine cannot be the source. The sniffer trace is pretty much proof.

Cheeseluigi · Sep 27, 2013

bill001g :

Hmm ok! Well here's the link to the correct image this time http://imgur.com/HOrQivI
Either way though I'll contact UW IT and let them know they must have something wrong cause it's not my computer that's doing it. Which packet is the sniffer trace though?

bill001g · Sep 27, 2013

I see nothing that stands out. Pretty standard stuff. The red packets are sniffer thinking there is a issue. More than likely there is not and it is a false alarm.

If you want to give them the sniffer trace you can save the file like any other windows program it will let you rename it pretty much anything you like. I would give them the whole thing not save it with your filter. If they cannot filter it themselves then it also means they will not understand it and therefore not believe it. You are in bad trouble if a networking guy can't use wireshark.

Cheeseluigi · Sep 27, 2013

Hahahaha ok well I'll do just that, thanks! I'll keep you posted if anything comes up or I have anymore questions

Cheeseluigi · Sep 29, 2013

It was indeed a false alarm, their switches were alerting them to rogue DHCP activity that wasn't happening in the first place, my internet works perfectly fine now that they adjusted their filters for the switch. Thanks!

Search

Help with Rougue DHCP/Computer Giving Out IPs

Cheeseluigi

Distinguished

bill001g

bill001g

Titan

Cheeseluigi

Distinguished

bill001g

Titan

Cheeseluigi

Distinguished

bill001g

Titan

Cheeseluigi

Distinguished

bill001g

Titan

Cheeseluigi

Distinguished

bill001g

Titan

Cheeseluigi

Distinguished

Cheeseluigi

Distinguished

TRENDING THREADS

Latest posts

Moderators online

Share this page