On our network, client workstations utilize DHCP for obtaining DNS server settings. I need to figure out why a certain IPv6 host is being added into the list of DNS servers. In other words, I need a way to capture IPV6 based DHCP traffic. Any assistance is greatly appreciated.
asked 26 Jan '16, 19:54
edited 27 Jan '16, 03:11
Not sure I get right what means "IPv6 host is being added into the list of DNS servers". But if it simply means that for a single DHCP discovery you get several DHCP offers, I would assume you need to work around the fact that the dynamically configured host interface only sends DHCP discovery for a certain period of time after L1 comes up, and that you cannot capture on an interface which is not up at L1. Here a hub or a switch with monitoring capability would help - you would connect the cable from one of your dynamically configured hosts to the uplink port of the switch or hub, connect a capturing machine to the monitoring port (if it is a switch with monitoring capability) or to any port if it is a hub and start capturing in promiscuous mode, and as the last step, connect the dynamically configured host to the access port of the hub/switch. This way, the capturing interface would already be up and running while the dynamically configured host would be negotiating at L1 and sending the DHCP discover.
The next step would be to apply display filter
Now you can find two possibilities:
The last step would be to use this address information to identify the "illegal" dhcp server. If you are lucky, your manageable switches will show you at which port of which switch this MAC address lives, so you can track it from switch to switch until you get to the one to which it is connected. If you are less lucky, the machine sends also other traffic, so capturing close to your gateway towards internet and analysing the traffic may give you a hint which one it is. The last "passive" resort is the inventory list with MAC addresses.
If no passive method helps, the next one is to ban that IP from access to internet/company server, the affected user will call IT helpdesk in no time.
answered 27 Jan '16, 03:14
edited 27 Jan '16, 05:05