I Need To Make A Change With My IT Support! Call (225) 706-8414

How to find a Rogue DHCP Server using Linux

You need to scan for active DHCP servers from a Linux machine that has a statically assigned IP address. For example, you suspect there is a rogue DHCP server on your network


The dhclient command, which normally configures an interface with a DHCP address, can be run to only query but not configure the interface.

  1. As root, run dhclient -d -nw <interface> where <interface> is the name of an active interface connected to the network you want to scan.
    # dhclient -d -nw eth0
    Internet Systems Consortium DHCP Client 4.2.5

    Copyright 2004-2013 Internet Systems Consortium.
    All rights reserved.
    For info, please visit https://www.isc.org/software/dhcp/Listening on LPF/eth0/aa:bb:cc:dd:ee:ff
    Sending on LPF/eth0/aa:bb:cc:dd:ee:ff
    Sending on Socket/fallback
    DHCPDISCOVER on eth0 to port 67 interval 6 (xid=0x76367945)
    DHCPREQUEST on eth0 to port 67 (xid=0x76367945)
    DHCPOFFER from
    DHCPACK from (xid=0x76367945)
  2. Review the output for lines starting with DHCPOFFER; each distinct IP address is an active DHCP server.

Concerned About Cyber Attacks?


Want to Migrate to the Cloud?

Office 365

Ready to Experience Microsoft Office 365?

Want the latest IT news directly in your inbox? Subscribe now!