Hi Oleg,
First I would put the sniifer on the DHCP server and not do any filtering but capture all the
packets that are coming in. This will let you see more of what is taking place.
DHCP Service uses UDP Port 67 and UDP Port 2535.
But my recommendation is to use the sniifer to capture all the traffic for a period of time.
Also, if you post a sample of what you are seeing, it may give us all a clue as to what is taking
place.
Thanks,
Gary
--------------------
'--'Content-Class: urn:content-classes:message
'--'From: "Oleg" <
[email protected]>
'--'Sender: "Oleg" <
[email protected]>
'--'Subject: Leases on DHCP with strange MAC
'--'Date: Sat, 21 Feb 2004 00:51:29 -0800
'--'Lines: 12
'--'Message-ID: <
[email protected]>
'--'MIME-Version: 1.0
'--'Content-Type: text/plain;
'--' charset="iso-8859-1"
'--'Content-Transfer-Encoding: 7bit
'--'X-Newsreader: Microsoft CDO for Windows 2000
'--'X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
'--'Thread-Index: AcP4V+WFSXe/K8pxT9WtHK4R5VOn4w==
'--'Newsgroups: microsoft.public.win2000.networking
'--'Path: cpmsftngxa07.phx.gbl
'--'Xref: cpmsftngxa07.phx.gbl microsoft.public.win2000.networking:55518
'--'NNTP-Posting-Host: tk2msftngxa14.phx.gbl 10.40.1.166
'--'X-Tomcat-NG: microsoft.public.win2000.networking
'--'
'--'Hello,
'--'
'--'Strange leases started to appear on my DHCP server (W2K
'--'DC). The name of PC consists of letters and digits and it
'--'has different domain than DHCP server is in. DHCP log
'--'shows strange MAC address which is more that 20 symbols.
'--'I'd like to "sniff" all attempts to get the leases from
'--'DHCP server. Which ports and protocols use DHCP server? Or
'--'may be you know other way to resolve this issue?
'--'
'--'Thank you in advance,
'--'Oleg
'--'
