I am in charge of a local network in a dormitory, we have two 50-way switches and using them to connect to some remote router which is not administered by me (it is not in my building). Note: this is a legacy setup, I had no decision on how it is put together. So, normally someone connects his comp and gets an IP address from that router using DHCP.

However recently people connecting their computer are not able to connect to the net and get their IP from a different router. How is this possible? Someone just connected his own router to the network and steals DHCP requests? If so, how can I find the culprit?


  • 4
    http://serverfault.com/questions/101778/locate-rogue-dhcp-server – hyperslug Sep 06 '10 at 20:35
  • If, as others have suspected, this is a problem with students adding their own Wifi and making a mistake - it may be worth thinking about putting an "official" wifi solution together... – Mitch Miller Sep 07 '10 at 23:10

5 Answers5


If you have a Apple handy, do a Tcp Dump:

tcpdump -ni en0

Then plug in the Ethernet port: Look for the DHCP reply:

15:40:23.226008 IP > BOOTP/DHCP, Reply, length 300

Assuming the wrong DHCP server has responded you now have its IP:

Next you need the DHCP server's mac address:

arp -an | grep

Will give you the mac address of the DHCP router

? ( at c0:9c:33:b1:b3:a1 on en0 ifscope [ethernet]

Assuming you have managed switches you can log in and dump the mapping of mac's to ports Simply unplug the offender and wait until someone comes to tell you they are down.

If your switches are not managed its well worth upgrading, but if that's not an option just ping the IP from the earlier step:


Pull wires until the ping stops.

  • 21
  • 1

You can track down the user using the techniques others have mentioned, but even better would be if you can prevent this from ever happening again.

For example, on a Cisco switching infrastructure you should be able to use DHCP snooping to prevent this happening in future. Other switch brands may have similar features.

Mitch Miller
  • 575
  • 3
  • 13

A normal user physically connected on the network can setup a DHCP server using (example) Windows Server 2008 on a VmWare machine from his laptop and steal the DHCP request of other clients.

If this is the case, in ipv4 properties change the alternate DNS IP address to the real DNS server.

  • 28,348
  • 19
  • 97
  • 147
  • 11
  • 1

Most likely someone brought their router from home and connected the wrong port to your switches. Most home routers provide DHCP and will happily give out addresses in the wrong range. From what I have seen this is fairly common in dorm situations.

Try posting a notice that anyone with their own router should connect only the WAN port to your network.

The procedures above will help you find the IP address they are using. The traffic lights on the routers may also help for a visual indication. If you don't have a handle on where all the wires go it may be difficult to trace. If you can pin down the port or ports that have th routers, consider disconnecting them at the switch.

  • 27,354
  • 3
  • 35
  • 69
  • Why post a sign telling them how to plug in their routers? Post a sign prohibiting routers. Students should not be allowed to setup their own wireless. It creates security and stability problems when they leave their wireless weakly secured, create switch loops, and setup their own DHCP servers. They should be banned, not supported. – Jason Berg Sep 07 '10 at 00:10
  • @Jason - Mainly because everything is going wireless now. It would be better to add wireless to the building. – BillThor Sep 07 '10 at 05:01

I'm guessing that someone in a dorm room has connected a SOHO router instead of their computer, probably so that they can have wireless access. What you can do is a series of steps to isolate the problem.

One way is to get your laptop and do some "war driving" in the dorms. In other words, roam around looking for strong wireless network signals coming from the rogue router. This will get you close to it, as you look at the varying strengths.

Another way is to:

  1. go to a computer that has this rogue router as its DHCP host, and write down the IP and MAC address of the router. You can get this from the "ipconfig /all" command.

  2. Use administrative access on the switches to find out which port that IP or MAC addess is using. In other words look at the table on the switch, that maps which machine is coming from through which port.

  3. Now you can either trace that port to the dorm room, or just remove the dorm room from the switch. Hopefully you have documentation of which ports go to which dorm rooms.

If none of these work then you will need to do a search by physically diconnecting one wire at a time from the switches until the problem goes away.

By the way, if the administration and IT are doing a decent job then the students have signed some kind of agreement that prohibits them from doing this. SO you can bring in the Dean of Students (of whatever he is called on your campus).

  • 149
  • 1
  • 9
  • Personally, I'd be disabling every LAN port it gets connected to, and waiting until they come to me and ask for help, and use that opportunity to educate them. Users have a pesky habit of disappearing when they know that they are in trouble. – Mitch Miller Sep 07 '10 at 00:57