How to Identify and Troubleshoot an Unknown DHCP Server at 192.168.1.59 in a Windows Network Environment


4 views

When you encounter a device like 192.168.1.59 that responds to ping but fails hostname resolution via nbtstat, this typically indicates one of several scenarios:

# Basic connectivity test
ping 192.168.1.59
# Output if successful:
PING 192.168.1.59 (192.168.1.59) 56(84) bytes of data.
64 bytes from 192.168.1.59: icmp_seq=1 ttl=64 time=0.421 ms

For deeper investigation, try these methods:

# Using nmap for port scanning (Windows/Linux)
nmap -sV -O 192.168.1.59

# Using arp to check MAC address
arp -a 192.168.1.59

# Alternative to nbtstat (Windows only)
nslookup 192.168.1.59

To specifically identify rogue DHCP servers:

# Windows PowerShell command to detect DHCP servers
Get-DhcpServerInDC

# Linux alternative (requires dhcpdump)
dhcpdump -i eth0 -h 255.255.255.255

Capture DHCP traffic to identify the server:

# Wireshark filter for DHCP traffic
udp.port == 67 or udp.port == 68

# tcpdump equivalent
tcpdump -i eth0 -n -v 'port 67 or port 68'

If software methods fail, physically trace the device:

  1. Check switch MAC address tables
  2. Follow the cable from the switch port
  3. Use tone generators for unlabeled cables

Here's a PowerShell script to identify network devices:

# PowerShell device discovery
$ip = "192.168.1.59"
$result = Test-NetConnection -ComputerName $ip -Port 80 -InformationLevel Detailed
$mac = (Get-NetNeighbor -IPAddress $ip).LinkLayerAddress
Write-Output "IP: $ipnMAC: $macnPort 80: $($result.TcpTestSucceeded)"

When dealing with rogue DHCP servers, standard ping and nbtstat commands may not provide enough information. Here are more advanced techniques:

# ARP command to check MAC address
arp -a 192.168.1.59

# NMAP scan for service discovery
nmap -sV -O 192.168.1.59

# DHCP-specific discovery (Linux)
dhcping -c 192.168.1.59 -s 192.168.1.1

Using Wireshark or tcpdump can reveal DHCP traffic patterns:

# Capture DHCP traffic specifically
tcpdump -i eth0 -vvv -s 1500 'port 67 or port 68'

# Filter for our target IP
tcpdump -i eth0 host 192.168.1.59 and port 67

Different DHCP servers have unique characteristics in their responses. This Python script can help identify the server type:

from scapy.all import *
from scapy.layers.dhcp import DHCP

def dhcp_sniffer():
    sniff(filter="udp and (port 67 or 68)",
          prn=analyze_dhcp,
          store=0)

def analyze_dhcp(pkt):
    if DHCP in pkt:
        options = pkt[DHCP].options
        for option in options:
            if isinstance(option, tuple):
                print(f"Option {option[0]}: {option[1]}")

dhcp_sniffer()

When software methods fail, physical investigation helps:

  • Check switch MAC address tables
  • Trace the port where 192.168.1.59 appears
  • Consider rogue wireless access points

For larger networks, these enterprise solutions may help:

# Cisco IOS command to check DHCP traffic
show ip dhcp binding 192.168.1.59

# Windows Server DHCP audit logging
Get-DhcpServerv4Scope -ComputerName dhcpserver1 | fl