How do I find if there is a rogue DHCP server on my Network?

One simple method is to simply run a sniffer like tcpdump/wireshark on a computer and send out a DHCP request. If you see any offers other then from your real DHCP server then you know you have a problem.

To recap and add to some of the other answers:

Temporarily disable your production DHCP server and see if other servers respond.

You can get the IP address of the server by running ipconfig /all on a windows machine, and then you can get the MAC address by looking for that IP address using arp -a.

On a Mac, run ipconfig getpacket en0 (or en1). See http://www.macosxhints.com/article.php?story=20060124152826491.

The DHCP server information is usually in /var/log/messages. sudo grep -i dhcp /var/log/messages*

Disabling your production DHCP server might not be a good option, of course.

Use a tool that specifically looks for rogue DHCP servers

See http://en.wikipedia.org/wiki/Rogue_DHCP for a list of tools (many of which were listed in other responses).

Configure switches to block DHCP offers

Most managed switches can be configured to prevent rogue DHCP servers:

• http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html

• http://www.juniper.net/techpubs/en_US/junos9.2/topics/concept/port-security-dhcp-snooping.html

dhcpdump, which takes input form tcpdump and shows only DHCP related packets. Helped me find rootkited Windows, posing as fake DHCP in our LAN.

The Wireshark / DHCP explorer / DHCP Probe approaches are good for a one time or periodic check. However, I'd recommend looking into DHCP Snooping support on your network. This feature will provide constant protection from rogue DHCP servers on the network, and is supported by many different hardware vendors.

Here's the feature set as indicated in the Cisco docs.

• Validates DHCP messages received from untrusted sources and filters out invalid messages.

• Rate-limits DHCP traffic from trusted and untrusted sources.

• Builds and maintains the DHCP snooping binding database, which contains information about untrusted hosts with leased IP addresses.

• Utilizes the DHCP snooping binding database to validate subsequent requests from untrusted hosts.

dhcploc.exe is the quickest and handiest way on Windows systems. It is available in the XP Support Tools. The Support Tools are on every OEM/retail XP disk, but may or may not be on "recovery disks" provided by some OEMs. You can also download them from MS.

It's a simple commandline tool. You run dhcploc {yourIPaddress} and then press the 'd' key to do a fake discovery. If you leave it running without pressing any keys, it will display every DHCP request and answer it hears. Press 'q' to quit.

I suggest starting two terminals, one for monitoring and another for sending a request. Terminal1 will show responses from all existing DHCP servers including MAC address. This example was run on Ubuntu:

Terminal1 (for monitoring):

sudo tcpdump -nelt udp port 68 | grep -i "boot.*reply"

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
20:a6:80:f9:12:2f > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 332: 192.168.1.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 290
00:23:cd:c3:83:8a > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 590: 192.168.1.253.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 548

Terminal2 (for sending a request):

sudo nmap --script broadcast-dhcp-discover -e eth0

Starting Nmap 7.01 ( https://nmap.org ) at 2019-10-13 21:21 EEST
Pre-scan script results:
| broadcast-dhcp-discover:
|   Response 1 of 1:
|     IP Offered: 192.168.1.228
|     DHCP Message Type: DHCPOFFER
|     IP Address Lease Time: 2h00m00s
|     Server Identifier: 192.168.1.1
|     Subnet Mask: 255.255.255.0
|     Router: 192.168.1.1
|_    Domain Name Server: 8.8.8.8, 8.8.4.4
WARNING: No targets were specified, so 0 hosts scanned.
Nmap done: 0 IP addresses (0 hosts up) scanned in 0.94 seconds

That monitoring terminal is needed just to see all responses (nmap is able to show only the first response).

Scapy is a python based packet crafting tool that is good for these sort tasks. There is an example of how to do exactly this here.

To expand on l0c0b0x's comment about using bootp.type == 2 as a filter. The bootp.type filter is only available in Wireshark/tshark. It is not available in tcpdump which the contextual location of his comment inclined me to believe.

Tshark works perfectly for this.

We have our network divided up into numerous broadcast domains, each with their own Linux-based probe with a point of presence on the "local" broadcast domain and on an administrative subnet in one fashion or another. Tshark combined with ClusterSSH allows me to easily look for DHCP traffic or (anything else for that matter) on the further flung corners of the network.

This will find DHCP replies using Linux:

# ifconfig ethX promisc
# tshark -i ethX -n port 68 -R 'bootp.type == 2'

once you've established that there's a rogue dhcp server on the network I found the quickest way to resolve it was...

Send an email round to the whole company saying:

"which one of you has added a wireless router into the LAN, you've killed the internet for everyone else"

expect a sheepish response, or the conflicting device to disappear, quickly :)

Disable the main DHCP server and (re)configure a connection.

If you get an IP address, you've got a rogue.

If you have a Linux handy, the standard dhcpclient tells you the IP address of the DHCP server (else you can sniff the traffic to see where the DHCP response came from).