aaaarrrgggghhh!!!!! customer’s client complaining that they cant get to the internet. they have an IP but doesnt seem to work for them. I check my dhcp server’s ip address range and did a quick ping scan on that range.. it turned out only few leases were online.
i checked the /var/log/messages and kept getting many DHCP IP offers from IP blocks not our own. hmmmm…
i did a quick google and foundĀ that you can sniff the wire for any rogue dhcp
#/usr/sbin/tcpdump -i eth1 -lĀ “udp src port 67 and udp dst port 68″
20:00:36.590654 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1c:df:3d:d6:80, length: 300
20:00:36.694801 IP 192.168.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 300
20:00:36.805844 IP 192.168.2.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 300
20:00:40.169506 IP 192.168.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 302
20:00:41.589965 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1c:df:3d:d6:80, length: 300
20:00:41.694514 IP 192.168.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 300
20:00:41.810429 IP 192.168.2.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 300
20:00:46.588929 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 00:1c:df:3d:d6:80, length: 300
20:00:46.689106 IP 192.168.0.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 300
20:00:46.804646 IP 192.168.2.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length: 300
i then re-applied the blocking of dhcp servers in the Canopy SM’s.. then the network went quite. 
I did want to find who the customer doing this was but the above action is a blanket command so i guess its better. But i would like to kick the guy’s butt for messing up the network though 
other option was to setup the linux box interface as a dhcp client and catch some of the illegal IP, or to run dhcp_probe and find out where its coming from.
