This is our old Q&A Site. Please post any new questions and answers at

I have a rogue dhcp server and I was able to track down the machine without any problem. However, I can not determine how the machine is handing out addresses. It is a Snow Leopard Mac with Internet Sharing OFF. Also the DHCP Offer is to a specific machine which is actually a backuppc ubuntu server, NOT a broadcast. Does anyone have any ideas what is going on here? I have included a screenshot below of the basic wireshark output. Any help is greatly appreciated.

You can see the screenshot at

asked 26 Jun '13, 11:23

robp2175's gravatar image

accept rate: 0%

edited 26 Jun '13, 11:24

Also the DHCP Offer is to a specific machine

That's not uncommon. See the sample capture in the Wireshark wiki.

If there is no DHCP server on your Mac box, are you sure that packets 8870 and 9180 are really DHCP Offer packets?

Maybe Wireshark simply decodes those packets as DHCP because those two machine are using a communication protocol at the same port that is usually used by DHCP (for whatever reason).

If you look at the content of those DHCP Offer packets. Do the values in that packets ((IP, MAC) make any sense in your environment?


permanent link

answered 26 Jun '13, 16:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 26 Jun '13, 11:23

question was seen: 5,051 times

last updated: 26 Jun '13, 16:44

p​o​w​e​r​e​d by O​S​Q​A