查找局域网中的DHCP服务器
2011-12-14 14:50
218 查看
某天,在xenserver中的某一台主机启动后发现IP地址是DHCP获得的,但是网段却是我从没有配置过的。想了很久都不记得自己曾经架过这么一台DHCP服务器。我要做的就是揪出它,看看是哪台机器在提供DHCP服务。google了下,找到了通过抓包的方法,经验证是可行的。
查看dhcp client的IP地址是172.20.10.54
eth0 Link encap:Ethernet HWaddr 00:16:3E:14:0A:74
inet addr:172.20.10.54 Bcast:172.20.10.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe14:a74/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2657 errors:0 dropped:0 overruns:0 frame:0
TX packets:188 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:232533 (227.0 KiB) TX bytes:33943 (33.1 KiB)
登陆到dhcp client上,利用tcpdump软件抓包,指定端口是67(也有可能是68).如果不确定,可以先用
netstat -an|grep 67
netstat -an|grep 68
查看哪个端口目前在监听,tcpdump的port选项就填正listen的那个端口。
开始抓包
[root@centos ~]# tcpdump -e -i eth0 -nn port 67
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:12:24.805483 00:16:3e:14:0a:75 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:75, length: 300
09:12:24.806055 00:16:3e:14:0a:75 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:75, length: 300
09:13:39.274700 00:16:3e:14:0a:73 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:73, length: 300
09:14:36.020156 00:16:3e:14:0a:74 > 14:fe:b5:d9:05:d8, ethertype IPv4 (0x0800), length 342: 172.20.10.116.68 > 172.20.10.230.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:74, length: 300
09:14:36.020564 14:fe:b5:d9:05:d8 > 00:16:3e:14:0a:74, ethertype IPv4 (0x0800), length 342: 172.20.10.230.67 > 172.20.10.116.68: BOOTP/DHCP, Reply, length: 300
如果用tcpdump这个命令等了一会还是没有包出来后,可以人为的ping某台机器试试,例如
[root@centos ~]# ping 172.20.10.117
PING 172.20.10.117 (172.20.10.117) 56(84) bytes of data.
64 bytes from 172.20.10.117: icmp_seq=1 ttl=64 time=0.367 ms
64 bytes from 172.20.10.117: icmp_seq=2 ttl=64 time=0.157 ms
64 bytes from 172.20.10.117: icmp_seq=3 ttl=64 time=0.172 ms
64 bytes from 172.20.10.117: icmp_seq=4 ttl=64 time=0.159 ms
64 bytes from 172.20.10.117: icmp_seq=5 ttl=64 time=0.157 ms
这样就能利用tcpdump抓到dhcp的包了,就能发现到底是哪台dhcp服务器在作祟了。
可以看到原来是172.20.10.230这台服务器在提供dhcp服务,ssh连上去停掉dhcp服务即可!!
本文出自 “star&storage” 博客,请务必保留此出处http://taotao1240.blog.51cto.com/731446/741760
查看dhcp client的IP地址是172.20.10.54
eth0 Link encap:Ethernet HWaddr 00:16:3E:14:0A:74
inet addr:172.20.10.54 Bcast:172.20.10.255 Mask:255.255.255.0
inet6 addr: fe80::216:3eff:fe14:a74/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2657 errors:0 dropped:0 overruns:0 frame:0
TX packets:188 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:232533 (227.0 KiB) TX bytes:33943 (33.1 KiB)
登陆到dhcp client上,利用tcpdump软件抓包,指定端口是67(也有可能是68).如果不确定,可以先用
netstat -an|grep 67
netstat -an|grep 68
查看哪个端口目前在监听,tcpdump的port选项就填正listen的那个端口。
开始抓包
[root@centos ~]# tcpdump -e -i eth0 -nn port 67
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:12:24.805483 00:16:3e:14:0a:75 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:75, length: 300
09:12:24.806055 00:16:3e:14:0a:75 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:75, length: 300
09:13:39.274700 00:16:3e:14:0a:73 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:73, length: 300
09:14:36.020156 00:16:3e:14:0a:74 > 14:fe:b5:d9:05:d8, ethertype IPv4 (0x0800), length 342: 172.20.10.116.68 > 172.20.10.230.67: BOOTP/DHCP, Request from 00:16:3e:14:0a:74, length: 300
09:14:36.020564 14:fe:b5:d9:05:d8 > 00:16:3e:14:0a:74, ethertype IPv4 (0x0800), length 342: 172.20.10.230.67 > 172.20.10.116.68: BOOTP/DHCP, Reply, length: 300
如果用tcpdump这个命令等了一会还是没有包出来后,可以人为的ping某台机器试试,例如
[root@centos ~]# ping 172.20.10.117
PING 172.20.10.117 (172.20.10.117) 56(84) bytes of data.
64 bytes from 172.20.10.117: icmp_seq=1 ttl=64 time=0.367 ms
64 bytes from 172.20.10.117: icmp_seq=2 ttl=64 time=0.157 ms
64 bytes from 172.20.10.117: icmp_seq=3 ttl=64 time=0.172 ms
64 bytes from 172.20.10.117: icmp_seq=4 ttl=64 time=0.159 ms
64 bytes from 172.20.10.117: icmp_seq=5 ttl=64 time=0.157 ms
这样就能利用tcpdump抓到dhcp的包了,就能发现到底是哪台dhcp服务器在作祟了。
可以看到原来是172.20.10.230这台服务器在提供dhcp服务,ssh连上去停掉dhcp服务即可!!
本文出自 “star&storage” 博客,请务必保留此出处http://taotao1240.blog.51cto.com/731446/741760
相关文章推荐
- 如何查找网络中其他非法 DHCP 服务器
- 为局域网搭建DHCP服务器
- 用DHCP服务器来管理局域网
- 局域网“内鬼” 非授权DHCP服务器防范策略
- 局域网“内鬼” 非授权DHCP服务器防范策略第1/2页
- DHCP局域网服务器(一)(部分参考私房菜,用TCP/IP进行网际互联)
- 局域网中简单的dhcp服务器的配置
- 如何查找网络中其他非法DHCP服务器【经典博客】
- 局域网“内鬼” 非授权DHCP服务器防范策略(组图)
- 使用scapy探测局域网内的DHCP服务器
- 局域网内存在多个DHCP服务器,以至电脑无法正常上网?
- 何为DHCP服务器
- win7下apache服务器本机可通过ip访问,局域网不能通过ip访问的解决办法
- 如何远程配置DHCP服务器
- windows 2012(64位) IIS配置asp程序 500 - 内部服务器错误。您查找的资源存在问题,因而无法显示。
- Linux--NFS和DHCP服务器
- 天下数据告诉你企业DHCP服务器安全管理三招
- linux--dhcp服务器
- 安装配置dhcp服务器
- 使用 ssh -R 穿透局域网访问内部服务器主机,反向代理 无人值守化