This is a static archive of our old Q&A Site. Please post any new questions and answers at

Help with Rogue DHCP Server


I have a rogue dhcp server and I was able to track down the machine without any problem. However, I can not determine how the machine is handing out addresses. It is a Snow Leopard Mac with Internet Sharing OFF. Also the DHCP Offer is to a specific machine which is actually a backuppc ubuntu server, NOT a broadcast. Does anyone have any ideas what is going on here? I have included a screenshot below of the basic wireshark output. Any help is greatly appreciated.

You can see the screenshot at

asked 26 Jun '13, 11:23

robp2175's gravatar image

accept rate: 0%

edited 26 Jun '13, 11:24

One Answer:


Also the DHCP Offer is to a specific machine

That's not uncommon. See the sample capture in the Wireshark wiki.

If there is no DHCP server on your Mac box, are you sure that packets 8870 and 9180 are really DHCP Offer packets?

Maybe Wireshark simply decodes those packets as DHCP because those two machine are using a communication protocol at the same port that is usually used by DHCP (for whatever reason).

If you look at the content of those DHCP Offer packets. Do the values in that packets ((IP, MAC) make any sense in your environment?


answered 26 Jun '13, 16:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%